head	1.3;
access;
symbols
	pkgsrc-2018Q1:1.2.0.14
	pkgsrc-2018Q1-base:1.2
	pkgsrc-2017Q4:1.2.0.12
	pkgsrc-2017Q4-base:1.2
	pkgsrc-2017Q3:1.2.0.10
	pkgsrc-2017Q3-base:1.2
	pkgsrc-2017Q2:1.2.0.6
	pkgsrc-2017Q2-base:1.2
	pkgsrc-2017Q1:1.2.0.4
	pkgsrc-2017Q1-base:1.2
	pkgsrc-2016Q4:1.2.0.2
	pkgsrc-2016Q4-base:1.2;
locks; strict;
comment	@# @;


1.3
date	2018.05.04.02.53.39;	author manu;	state dead;
branches;
next	1.2;
commitid	WYE8jX3FaxU5rVAA;

1.2
date	2016.10.27.12.53.13;	author manu;	state Exp;
branches;
next	1.1;
commitid	U4C1X59cz0rBAMrz;

1.1
date	2016.10.18.15.13.41;	author manu;	state Exp;
branches;
next	;
commitid	Mrx455DryexMEDqz;


desc
@@


1.3
log
@Updated www/ap2-auth-mellon to 0.14.0

Changes since 0.12.0 include a fix for CVE-2017-6807

Version 0.14.0
==============

* Backwards incompatible changes

  This version switches the default signature algorithm used when
  signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
  allow messages to be signed with that algorithm, you need to add a
  setting switching back to the old algorithm:

  MellonSignatureMethod rsa-sha1

  Note that this only affects messages sent from mod_auth_mellon to your
  IdP. It does not affect authentication responses or other messages
  sent from your IdP to mod_auth_mellon.

* New features

    Many improvements in what is logged during various errors.

    Diagnostics logging, which creates a detailed log during request
    processing.

    Add support for selecting which signature algorithm is used when
    signing messages, and switch to rsa-sha256 by default.

* Bug fixes

    Fix segmentation fault in POST replay functionality on empty value.

    Fix incorrect error check for many lasso_*-functions.

    Fix case sensitive match on MellonUser attribute name.


Version 0.13.1
==============

* Security fix

  Fix a cross-site session transfer vulnerability. mod_auth_mellon
  version 0.13.0 and older failed to validate that the session
  specified in the user's session cookie was created for the web site
  the user actually accesses.

  If two different web sites are hosted on the same web server, and
  both web sites use mod_auth_mellon for authentication, this
  vulnerability makes it possible for an attacker with access to one
  of the web sites to copy their session cookie to the other web
  site, and then use the same session to get access to the other web
  site.

  Thanks to François Kooman for reporting this vulnerability.

  This vulnerability has been assigned CVE-2017-6807.

  Note: The fix for this vunlerability makes mod_auth_mellon validate
  that the cookie parameters used when creating the session match
  the cookie parameters that should be used when accessing the current
  page. If you currently use mod_auth_mellon across multiple subdomains,
  you must make sure that you set the MellonCookie-option to the same
  value on all domains.  Bug fixes

    Fix segmentation fault if a (trusted) identity provider returns
    a SAML 2.0 attribute without a Name.

    Fix segmentation fault if MellonPostReplay is enabled but
    MellonPostDirectory is not set.

Version 0.13.0
==============

* Security fix

  Fix a denial of service attack in the logout handler, which allows
  a remote attacker to crash the Apache worker process with a
  segmentation fault. This is caused by a null-pointer dereference
  when processing a malformed logout message.  New features

    Allow MellonSecureCookie to be configured to enable just one
    of the "httponly" of "secure" flags, instead of always enabling
    both flags.
    Support per-module log level with Apache 2.4.
    Allow disabling the Cache-Control HTTP response header.
    Add support for SameSite cookie parameter.

* Bug fixes

    Fix MellonProbeDiscoveryIdP redirecting to the wrong IdP if no IdPs
    respond to the probe request.
    Fix mod_auth_mellon interfering with other Apache authentication
    modules even when it is disabled for a path.
    Fix wrong HTTP status code being returned in some cases during
    user permission checks.
    Fix default POST size limit to actually be 1 MB.
    Fix error if authentication response is missing the optional
    Conditions-element.
    Fix AJAX requests being redirected to the IdP.
    Fix wrong content type for ECP authentication request responses.

In addition there are various fixes for errors in the documentation,
as well as internal code changes that do not have any user visible
effects.
@
text
@$NetBSD: patch-0347,v 1.2 2016/10/27 12:53:13 manu Exp $

From 78fe67641918016a6108e325be351156999109c9 Mon Sep 17 00:00:00 2001
From: Emmanuel Dreyfus <manu@@netbsd.org>
Date: Tue, 18 Oct 2016 01:42:53 +0200
Subject: [PATCH] Do not redirect unauthenticated AJAX request to the IdP

When MellonEnable is "auth" and we get an unauthenticated AJAX
request (identified by the X-Request-With: XMLHttpRequest HTTP
header), fail with HTTP code 403 Forbidden instead of redirecting
to the IdP. This saves resources, as the client has no opportunity
to interract with the user to complete authentification.
---
 README                |  6 ++++++
 auth_mellon_handler.c | 14 ++++++++++++++
 2 files changed, 20 insertions(+)

diff --git README README
index ec323ab..5960cc8 100644
--- README
+++ README
@@@@ -166,6 +166,12 @@@@ MellonPostCount 100
         #           return a 403 Forbidden error. If he isn't authenticated
         #           then we will redirect him to the login page of the IdP.
         #
+        #           There is a special handling of AJAX requests, that are
+        #           identified by the "X-Request-With: XMLHttpRequest" HTTP
+        #           header. Since no user interaction can happen there,
+        #           we always fail unauthenticated (not logged in) requests
+        #           with a 403 Forbidden error without redirecting to the IdP.
+        #
         # Default: MellonEnable "off"
         MellonEnable "auth"
 
diff --git auth_mellon_handler.c auth_mellon_handler.c
index 0457189..a55828a 100644
--- auth_mellon_handler.c
+++ auth_mellon_handler.c
@@@@ -3491,6 +3491,7 @@@@ int am_auth_mellon_user(request_rec *r)
     am_dir_cfg_rec *dir = am_get_dir_cfg(r);
     int return_code = HTTP_UNAUTHORIZED;
     am_cache_entry_t *session;
+    const char *ajax_header;
 
     if (r->main) {
         /* We are a subrequest. Trust the main request to have
@@@@ -3534,6 +3535,19 @@@@ int am_auth_mellon_user(request_rec *r)
                 am_release_request_session(r, session);
             }
 
+            /*
+             * If this is an AJAX request, we cannot proceed to the IdP,
+             * Just fail early to save our resources
+             */
+            ajax_header = apr_table_get(r->headers_in, "X-Request-With");
+            if (ajax_header != NULL &&
+                strcmp(ajax_header, "XMLHttpRequest") == 0) {
+                    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                      "Deny unauthenticated X-Request-With XMLHttpRequest "
+                      "(AJAX) request");
+                    return HTTP_FORBIDDEN;
+            }
+
 #ifdef HAVE_ECP
             /*
              * If PAOS set a flag on the request indicating we're
-- 
2.3.2

@


1.2
log
@Fix pkglint complains
@
text
@d1 1
a1 1
$NetBSD$
@


1.1
log
@Do not redirect unauthenticated AJAX request to the IdP

When MellonEnable is "auth" and we get an unauthenticated AJAX
request (identified by the X-Request-With: XMLHttpRequest HTTP
header), fail with HTTP code 403 Forbidden instead of redirecting
to the IdP. This saves resources, as the client has no opportunity
to interract with the user to complete authentification.
@
text
@d1 2
@