improve detection of suspicious redirect URLs; add test list

bump to 2.4.11rc1 Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
OpenIDC · Jan 6, 2022 · 1a394a8 · 1a394a8
1 parent 319f225
commit 1a394a8
Show file tree

Hide file tree

Showing 7 changed files with 904 additions and 3 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+01/06/2022
+- improve detection of suspicious redirect URLs; add test list
+- bump to 2.4.11rc1
+
 12/24/2021
 - make interpretation of X-Forwarded-* headers configurable, defaulting to none
   so mod_auth_openidc running behind a reverse proxy that sets X-Forwarded-* headers

diff --git a/Makefile.am b/Makefile.am
@@ -61,7 +61,8 @@ EXTRA_DIST = \
 	LICENSE.txt \
 	auth_openidc.conf \
 	test/public.pem \
-	test/certificate.pem
+	test/certificate.pem \
+	test/open-redirect-payload-list.txt
 
 noinst_DATA = mod_auth_openidc.la
 

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.11rc0],[hans.zandbelt@zmartzone.eu])
+AC_INIT([mod_auth_openidc],[2.4.11rc1],[hans.zandbelt@zmartzone.eu])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -2430,7 +2430,7 @@ static int oidc_target_link_uri_matches_configuration(request_rec *r,
 
 #define OIDC_MAX_URL_LENGTH 8192 * 2
 
-static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
+apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
 		const char *redirect_to_url, apr_byte_t restrict_to_host, char **err_str,
 		char **err_desc) {
 	apr_uri_t uri;
@@ -2515,6 +2515,19 @@ static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
 		return FALSE;
 	}
 
+	if ((strstr(url, "/%09") != NULL) || (strstr(url, "/%2f") != NULL)
+			|| (strstr(url, "/%68") != NULL) || (strstr(url, "/.") != NULL)
+			|| (strstr(url, "/http:") != NULL) || (strstr(url, "/https:") != NULL)
+			|| (strstr(url, "/javascript:") != NULL) || (strstr(url, "/〱") != NULL)
+			|| (strstr(url, "/〵") != NULL) || (strstr(url, "/ゝ") != NULL)
+			|| (strstr(url, "/ー") != NULL) || (strstr(url, "/〱") != NULL)
+			|| (strstr(url, "/ｰ") != NULL) || (strstr(url, "/<") != NULL)
+			|| (strstr(url, "%01javascript:") != NULL) || (strstr(url, "/%5c") != NULL)) {
+		*err_str = apr_pstrdup(r->pool, "Invalid URL");
+		*err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
+		oidc_error(r, "%s: %s", *err_str, *err_desc);
+		return FALSE;
+	}
 	return TRUE;
 }
 

diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
@@ -693,6 +693,7 @@ apr_byte_t oidc_proto_handle_authorization_response_idtoken(request_rec *r, oidc
 apr_byte_t oidc_proto_validate_access_token(request_rec *r, oidc_provider_t *provider, oidc_jwt_t *jwt, const char *response_type, const char *access_token);
 apr_byte_t oidc_proto_validate_code(request_rec *r, oidc_provider_t *provider, oidc_jwt_t *jwt, const char *response_type, const char *code);
 apr_byte_t oidc_proto_validate_nonce(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, const char *nonce, oidc_jwt_t *jwt);
+apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c, const char *redirect_to_url, apr_byte_t restrict_to_host, char **err_str, char **err_desc);
 
 // oidc_authz.c
 typedef apr_byte_t (*oidc_authz_match_claim_fn_type)(request_rec *, const char * const, const json_t * const);