File fix-CVE-2021-32792-1.patch of Package apache2-mod_auth_openidc.16938

Overview Repositories Revisions Requests Users Attributes Meta

File fix-CVE-2021-32792-1.patch of Package apache2-mod_auth_openidc.16938

From 55ea0a085290cd2c8cdfdd960a230cbc38ba8b56 Mon Sep 17 00:00:00 2001
From: AIMOTO NORIHITO <aimoto@osstech.co.jp>
Date: Mon, 28 Jun 2021 13:05:52 +0900
Subject: [PATCH] Add a function to escape Javascript characters

---
 src/mod_auth_openidc.c |  6 ++--
 src/mod_auth_openidc.h |  1 +
 src/util.c             | 81 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 85 insertions(+), 3 deletions(-)

Index: mod_auth_openidc-2.3.8/src/mod_auth_openidc.c
===================================================================
--- mod_auth_openidc-2.3.8.orig/src/mod_auth_openidc.c
+++ mod_auth_openidc-2.3.8/src/mod_auth_openidc.c
@@ -469,7 +469,7 @@ apr_byte_t oidc_post_preserve_javascript
 					"    </script>\n", jmethod, json,
 					location ?
 							apr_psprintf(r->pool, "window.location='%s';\n",
-									location) :
+									oidc_util_javascript_escape(r->pool, location)) :
 									"");
 	if (location == NULL) {
 		if (javascript_method)
@@ -517,7 +517,7 @@ static int oidc_request_post_preserved_r
 					"        document.forms[0].action = '%s';\n"
 					"        document.forms[0].submit();\n"
 					"      }\n"
-					"    </script>\n", method, original_url);
+					"    </script>\n", method, oidc_util_javascript_escape(r->pool, original_url));
 
 	const char *body = "    <p>Restoring...</p>\n"
 			"    <form method=\"post\"></form>\n";
@@ -1559,7 +1559,7 @@ static int oidc_session_redirect_parent_
 	char *java_script = apr_psprintf(r->pool,
 			"    <script type=\"text/javascript\">\n"
 			"      window.top.location.href = '%s?session=logout';\n"
-			"    </script>\n", oidc_get_redirect_uri(r, c));
+			"    </script>\n", oidc_util_javascript_escape(r->pool, oidc_get_redirect_uri(r, c)));
 
 	return oidc_util_html_send(r, "Redirecting...", java_script, NULL, NULL,
 			DONE);
Index: mod_auth_openidc-2.3.8/src/mod_auth_openidc.h
===================================================================
--- mod_auth_openidc-2.3.8.orig/src/mod_auth_openidc.h
+++ mod_auth_openidc-2.3.8/src/mod_auth_openidc.h
@@ -733,6 +733,7 @@ apr_byte_t oidc_json_object_get_string(a
 apr_byte_t oidc_json_object_get_int(apr_pool_t *pool, json_t *json, const char *name, int *value, const int default_value);
 apr_byte_t oidc_json_object_get_bool(apr_pool_t *pool, json_t *json, const char *name, int *value, const int default_value);
 char *oidc_util_html_escape(apr_pool_t *pool, const char *input);
+char *oidc_util_javascript_escape(apr_pool_t *pool, const char *input);
 void oidc_util_table_add_query_encoded_params(apr_pool_t *pool, apr_table_t *table, const char *params);
 apr_hash_t * oidc_util_merge_key_sets(apr_pool_t *pool, apr_hash_t *k1, apr_hash_t *k2);
 apr_byte_t oidc_util_regexp_substitute(apr_pool_t *pool, const char *input, const char *regexp, const char *replace, char **output, char **error_str);
Index: mod_auth_openidc-2.3.8/src/util.c
===================================================================
--- mod_auth_openidc-2.3.8.orig/src/util.c
+++ mod_auth_openidc-2.3.8/src/util.c
@@ -370,6 +370,87 @@ char *oidc_util_html_escape(apr_pool_t *
 }
 
 /*
+ * JavaScript escape a string
+ */
+char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
+    const char *cp;
+    char *output;
+    size_t outputlen;
+    int i;
+
+    if (s == NULL) {
+        return NULL;
+    }
+
+    outputlen = 0;
+    for (cp = s; *cp; cp++) {
+        switch (*cp) {
+        case '\'':
+        case '"':
+        case '\\':
+        case '/':
+        case 0x0D:
+        case 0x0A:
+            outputlen += 2;
+            break;
+        case '<':
+        case '>':
+            outputlen += 4;
+            break;
+        default:
+            outputlen += 1;
+            break;
+        }
+    }
+
+    i = 0;
+    output = apr_palloc(pool, outputlen + 1);
+    for (cp = s; *cp; cp++) {
+        switch (*cp) {
+        case '\'':
+            (void)strcpy(&output[i], "\\'");
+            i += 2;
+            break;
+        case '"':
+            (void)strcpy(&output[i], "\\\"");
+            i += 2;
+            break;
+        case '\\':
+            (void)strcpy(&output[i], "\\\\");
+            i += 2;
+            break;
+        case '/':
+            (void)strcpy(&output[i], "\\/");
+            i += 2;
+            break;
+        case 0x0D:
+            (void)strcpy(&output[i], "\\r");
+            i += 2;
+            break;
+        case 0x0A:
+            (void)strcpy(&output[i], "\\n");
+            i += 2;
+            break;
+        case '<':
+            (void)strcpy(&output[i], "\\x3c");
+            i += 4;
+            break;
+        case '>':
+            (void)strcpy(&output[i], "\\x3e");
+            i += 4;
+            break;
+        default:
+            output[i] = *cp;
+            i += 1;
+            break;
+        }
+    }
+    output[i] = '\0';
+    return output;
+}
+
+
+/*
  * get the URL scheme that is currently being accessed
  */
 static const char *oidc_get_current_url_scheme(const request_rec *r) {

Places

File fix-CVE-2021-32792-1.patch of Package apache2-mod_auth_openidc.16938

Places