diff -Nru libapache2-mod-auth-openidc-2.3.10/ChangeLog libapache2-mod-auth-openidc-2.3.10.2/ChangeLog --- libapache2-mod-auth-openidc-2.3.10/ChangeLog 2018-12-31 10:40:31.000000000 +0000 +++ libapache2-mod-auth-openidc-2.3.10.2/ChangeLog 2019-01-22 10:48:47.000000000 +0000 @@ -1,3 +1,11 @@ +01/22/2019 +- fix XSS vulnerability CSNC-2019-001 wrt. poll parameter in OIDC Session Management RP iframe; thanks Mischa Bachmann +- release 2.3.10.2 + +01/16/2019 +- fix bug in current URL detection where query parameters would be duplicated; see #420; thanks @jreynaert +- release 2.3.10.1 + 12/31/2018 - fix warning printout in oidc_delete_oldest_state_cookies - release 2.3.10 diff -Nru libapache2-mod-auth-openidc-2.3.10/configure libapache2-mod-auth-openidc-2.3.10.2/configure --- libapache2-mod-auth-openidc-2.3.10/configure 2018-12-31 10:41:33.000000000 +0000 +++ libapache2-mod-auth-openidc-2.3.10.2/configure 2019-01-22 09:37:02.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.3.10. +# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.3.10.2. # # Report bugs to . # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='mod_auth_openidc' PACKAGE_TARNAME='mod_auth_openidc' -PACKAGE_VERSION='2.3.10' -PACKAGE_STRING='mod_auth_openidc 2.3.10' +PACKAGE_VERSION='2.3.10.2' +PACKAGE_STRING='mod_auth_openidc 2.3.10.2' PACKAGE_BUGREPORT='hans.zandbelt@zmartzone.eu' PACKAGE_URL='' @@ -1269,7 +1269,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures mod_auth_openidc 2.3.10 to adapt to many kinds of systems. +\`configure' configures mod_auth_openidc 2.3.10.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1331,7 +1331,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of mod_auth_openidc 2.3.10:";; + short | recursive ) echo "Configuration of mod_auth_openidc 2.3.10.2:";; esac cat <<\_ACEOF @@ -1445,7 +1445,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -mod_auth_openidc configure 2.3.10 +mod_auth_openidc configure 2.3.10.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1747,7 +1747,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by mod_auth_openidc $as_me 2.3.10, which was +It was created by mod_auth_openidc $as_me 2.3.10.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2096,7 +2096,7 @@ -NAMEVER=mod_auth_openidc-2.3.10 +NAMEVER=mod_auth_openidc-2.3.10.2 # This section defines the --with-apxs2 option. @@ -4886,7 +4886,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by mod_auth_openidc $as_me 2.3.10, which was +This file was extended by mod_auth_openidc $as_me 2.3.10.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4939,7 +4939,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -mod_auth_openidc config.status 2.3.10 +mod_auth_openidc config.status 2.3.10.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru libapache2-mod-auth-openidc-2.3.10/configure.ac libapache2-mod-auth-openidc-2.3.10.2/configure.ac --- libapache2-mod-auth-openidc-2.3.10/configure.ac 2018-12-31 10:26:27.000000000 +0000 +++ libapache2-mod-auth-openidc-2.3.10.2/configure.ac 2019-01-22 09:34:55.000000000 +0000 @@ -1,4 +1,4 @@ -AC_INIT([mod_auth_openidc],[2.3.10],[hans.zandbelt@zmartzone.eu]) +AC_INIT([mod_auth_openidc],[2.3.10.2],[hans.zandbelt@zmartzone.eu]) AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION()) diff -Nru libapache2-mod-auth-openidc-2.3.10/debian/changelog libapache2-mod-auth-openidc-2.3.10.2/debian/changelog --- libapache2-mod-auth-openidc-2.3.10/debian/changelog 2019-01-02 13:58:25.000000000 +0000 +++ libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 2019-01-29 20:40:30.000000000 +0000 @@ -1,3 +1,9 @@ +libapache2-mod-auth-openidc (2.3.10.2-1) unstable; urgency=medium + + * New upstream version 2.3.10.2 + + -- Moritz Schlarb Tue, 29 Jan 2019 21:40:30 +0100 + libapache2-mod-auth-openidc (2.3.10-1) unstable; urgency=medium [ Frédéric Bonnard ] diff -Nru libapache2-mod-auth-openidc-2.3.10/README.md libapache2-mod-auth-openidc-2.3.10.2/README.md --- libapache2-mod-auth-openidc-2.3.10/README.md 2018-12-24 05:06:21.000000000 +0000 +++ libapache2-mod-auth-openidc-2.3.10.2/README.md 2019-01-21 15:56:26.000000000 +0000 @@ -39,7 +39,7 @@ - [OAuth 2.0 Multiple Response Type Encoding Practices 1.0](http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html) - [OAuth 2.0 Form Post Response Mode 1.0](http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) - [RFC7 7636 - Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636) -- [OpenID Connect Session Management 1.0](http://openid.net/specs/openid-connect-session-1_0.html) *(implementers draft; see the [Wiki](https://github.com/zmartzone/mod_auth_openidc/wiki/Session-Management) for information on how to configure it)* +- [OpenID Connect Session Management 1.0](http://openid.net/specs/openid-connect-session-1_0.html) *(implementers draft; see the [Wiki](https://github.com/zmartzone/mod_auth_openidc/wiki/OpenID-Connect-Session-Management) for information on how to configure it)* - [OpenID Connect Front-Channel Logout 1.0](http://openid.net/specs/openid-connect-frontchannel-1_0.html) *(implementers draft)* - [OpenID Connect Back-Channel Logout 1.0](https://openid.net/specs/openid-connect-backchannel-1_0.html) *(implementers draft)* - [Encoding claims in the OAuth 2 state parameter using a JWT](https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-08) *(draft spec)* @@ -121,26 +121,6 @@ The above is an authorization example of an exact match of a provided claim against a string value. For more authorization options see the [Wiki page on Authorization](https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization). -### OpenID Connect SSO with Keycloak - -See also the [Wiki page on Keycloak](https://github.com/zmartzone/mod_auth_openidc/wiki/Keycloak) - -```apache -OIDCProviderMetadataURL https://keycloak.example.net/auth/realms/master/.well-known/openid-configuration -# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content -OIDCRedirectURI https://www.example.net/example/oauth2callback -OIDCCryptoPassphrase random1234 -OIDCClientID -OIDCClientSecret -OIDCRemoteUserClaim email -OIDCScope "openid email" - - - AuthType openid-connect - Require valid-user - -``` - ### Quickstart with a generic OpenID Connect Provider 1. install and load `mod_auth_openidc.so` in your Apache server @@ -169,6 +149,17 @@ ``` For details on configuring multiple providers see the [Wiki](https://github.com/zmartzone/mod_auth_openidc/wiki/Multiple-Providers). +### Quickstart for Other Providers + +See the [Wiki](https://github.com/zmartzone/mod_auth_openidc/wiki) for configuration docs for other OpenID Connect Providers: +- [GLUU Server](https://github.com/zmartzone/mod_auth_openidc/wiki/Gluu-Server) +- [Keycloak](https://github.com/zmartzone/mod_auth_openidc/wiki/Keycloak) +- [Azure AD](https://github.com/zmartzone/mod_auth_openidc/wiki/Azure-OAuth2.0-and-OpenID) +- [LemonLDAP::NG](https://github.com/zmartzone/mod_auth_openidc/wiki/LemonLDAP::NG) +- [GitLab](https://github.com/zmartzone/mod_auth_openidc/wiki/GitLab-OAuth2) +- [Globus](https://github.com/zmartzone/mod_auth_openidc/wiki/Globus) +and [more](https://github.com/zmartzone/mod_auth_openidc/wiki/Useful-Links) + ### Quickstart with a generic OAuth 2.0 Resource Server Using "local" validation of JWT bearer tokens: diff -Nru libapache2-mod-auth-openidc-2.3.10/src/mod_auth_openidc.c libapache2-mod-auth-openidc-2.3.10.2/src/mod_auth_openidc.c --- libapache2-mod-auth-openidc-2.3.10/src/mod_auth_openidc.c 2018-12-31 10:37:57.000000000 +0000 +++ libapache2-mod-auth-openidc-2.3.10.2/src/mod_auth_openidc.c 2019-01-22 10:51:32.000000000 +0000 @@ -3106,7 +3106,7 @@ "\n" " function setTimer() {\n" " checkSession();\n" - " timerID = setInterval('checkSession()', %s);\n" + " timerID = setInterval('checkSession()', %d);\n" " }\n" "\n" " function receiveMessage(e) {\n" @@ -3149,12 +3149,13 @@ char *s_poll_interval = NULL; oidc_util_get_request_parameter(r, "poll", &s_poll_interval); - if (s_poll_interval == NULL) - s_poll_interval = "3000"; + int poll_interval = s_poll_interval ? strtol(s_poll_interval, NULL, 10) : 0; + if ((poll_interval <= 0) || (poll_interval > 3600 * 24)) + poll_interval = 3000; const char *redirect_uri = oidc_get_redirect_uri(r, c); java_script = apr_psprintf(r->pool, java_script, origin, client_id, - session_state, op_iframe_id, s_poll_interval, redirect_uri, + session_state, op_iframe_id, poll_interval, redirect_uri, redirect_uri); return oidc_util_html_send(r, NULL, java_script, "setTimer", NULL, DONE); diff -Nru libapache2-mod-auth-openidc-2.3.10/src/util.c libapache2-mod-auth-openidc-2.3.10.2/src/util.c --- libapache2-mod-auth-openidc-2.3.10/src/util.c 2018-12-31 10:04:13.000000000 +0000 +++ libapache2-mod-auth-openidc-2.3.10.2/src/util.c 2019-01-16 12:01:20.000000000 +0000 @@ -502,7 +502,7 @@ if ((path) && (path[0] != '/')) { memset(&uri, 0, sizeof(apr_uri_t)); if (apr_uri_parse(r->pool, r->uri, &uri) == APR_SUCCESS) - path = uri.path; + path = apr_pstrcat(r->pool, uri.path, (r->args != NULL && *r->args != '\0' ? "?" : ""), r->args, NULL); else oidc_warn(r, "apr_uri_parse failed on non-relative URL: %s", r->uri); } else { @@ -510,9 +510,7 @@ path = r->unparsed_uri; } - url = apr_pstrcat(r->pool, oidc_get_current_url_base(r), path, - (r->args != NULL && *r->args != '\0' ? "?" : ""), r->args, - NULL); + url = apr_pstrcat(r->pool, oidc_get_current_url_base(r), path, NULL); oidc_debug(r, "current URL '%s'", url); diff -Nru libapache2-mod-auth-openidc-2.3.10/test/test.c libapache2-mod-auth-openidc-2.3.10.2/test/test.c --- libapache2-mod-auth-openidc-2.3.10/test/test.c 2018-12-31 10:04:13.000000000 +0000 +++ libapache2-mod-auth-openidc-2.3.10.2/test/test.c 2019-01-16 12:03:41.000000000 +0000 @@ -1195,7 +1195,7 @@ char *url = NULL; r->uri = "/test"; - r->unparsed_uri = r->uri; + r->unparsed_uri = apr_pstrcat(r->pool, r->uri, "?", r->args, NULL); url = oidc_get_current_url(r); TST_ASSERT_STR("test_current_url (1)", url, "https://www.example.com/test?foo=bar¶m1=value1");