File fix-CVE-2022-23527-1.patch of Package apache2-mod_auth_openidc

Overview Repositories Revisions Requests Users Attributes Meta

File fix-CVE-2022-23527-1.patch of Package apache2-mod_auth_openidc

From f38af0e2cb7a7e0e70544f032aaeb5db17352da5 Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Thu, 6 Jan 2022 16:43:16 +0100
Subject: [PATCH] test: allow /. in redirect URLs

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
---
 src/mod_auth_openidc.c              | 15 ++++++++-------
 test/open-redirect-payload-list.txt |  3 ---
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index a6d4fd0a..c10fe526 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -2516,18 +2516,19 @@ apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
 	}
 
 	if ((strstr(url, "/%09") != NULL) || (strstr(url, "/%2f") != NULL)
-			|| (strstr(url, "/%68") != NULL) || (strstr(url, "/.") != NULL)
-			|| (strstr(url, "/http:") != NULL) || (strstr(url, "/https:") != NULL)
-			|| (strstr(url, "/javascript:") != NULL) || (strstr(url, "/〱") != NULL)
-			|| (strstr(url, "/〵") != NULL) || (strstr(url, "/ゝ") != NULL)
-			|| (strstr(url, "/ー") != NULL) || (strstr(url, "/〱") != NULL)
-			|| (strstr(url, "/ｰ") != NULL) || (strstr(url, "/<") != NULL)
-			|| (strstr(url, "%01javascript:") != NULL) || (strstr(url, "/%5c") != NULL)) {
+			|| (strstr(url, "/%68") != NULL) || (strstr(url, "/http:") != NULL)
+			|| (strstr(url, "/https:") != NULL) || (strstr(url, "/javascript:") != NULL)
+			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL)
+			|| (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL)
+			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/ｰ") != NULL)
+			|| (strstr(url, "/<") != NULL) || (strstr(url, "%01javascript:") != NULL)
+			|| (strstr(url, "/%5c") != NULL)) {
 		*err_str = apr_pstrdup(r->pool, "Invalid URL");
 		*err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
 		oidc_error(r, "%s: %s", *err_str, *err_desc);
 		return FALSE;
 	}
+
 	return TRUE;
 }
 
diff --git a/test/open-redirect-payload-list.txt b/test/open-redirect-payload-list.txt
index f77887f8..84ab4200 100644
--- a/test/open-redirect-payload-list.txt
+++ b/test/open-redirect-payload-list.txt
@@ -4,7 +4,6 @@
 /%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
 /%5cexample.com
 /%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
-/.example.com
 //%09/example.com
 //%5cexample.com
 ///%09/example.com
@@ -554,7 +553,6 @@ javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
 /%2f%2flocaldomain.pw
 /localdomain.pw/%2f%2e%2e
 /http:/localdomain.pw
-/.localdomain.pw
 http://.localdomain.pw
 .localdomain.pw
 ///\;@localdomain.pw
@@ -831,7 +829,6 @@ javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
 /%2f%2fgoogle.com
 /google.com/%2f%2e%2e
 /http:/google.com
-/.google.com
 ///\;@google.com
 ///google.com
 /////google.com/
\ No newline at end of file

Places

File fix-CVE-2022-23527-1.patch of Package apache2-mod_auth_openidc

Places