head 1.4; access; symbols pkgsrc-2013Q2:1.4.0.8 pkgsrc-2013Q2-base:1.4 pkgsrc-2012Q4:1.4.0.6 pkgsrc-2012Q4-base:1.4 pkgsrc-2011Q4:1.4.0.4 pkgsrc-2011Q4-base:1.4 pkgsrc-2011Q2:1.4.0.2 pkgsrc-2011Q2-base:1.4 pkgsrc-2010Q1:1.3.0.4 pkgsrc-2010Q1-base:1.3 pkgsrc-2009Q4:1.3.0.2 pkgsrc-2009Q4-base:1.3 pkgsrc-2009Q1:1.1.1.1.0.2 pkgsrc-2009Q1-base:1.1.1.1 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.4 date 2010.05.31.16.46.30; author manu; state dead; branches; next 1.3; 1.3 date 2009.12.20.11.31.30; author manu; state Exp; branches; next 1.2; 1.2 date 2009.06.06.10.27.31; author manu; state dead; branches; next 1.1; 1.1 date 2009.03.02.16.47.42; author manu; state Exp; branches 1.1.1.1; next ; 1.1.1.1 date 2009.03.02.16.47.42; author manu; state Exp; branches; next ; desc @@ 1.4 log @Update to 0.2.7. From the NEWS file: Version 0.2.7 --------------------------------------------------------------------------- * Optionaly ave the remote IdP entityId in the environment * Shibboleth 2 interoperability Version 0.2.6 --------------------------------------------------------------------------- * Fix XSS/DOS vulnerability in repost handler. @ text @$NetBSD: patch-aa,v 1.3 2009/12/20 11:31:30 manu Exp $ --- auth_mellon_handler.c.orig 2009-12-20 10:19:47.000000000 +0100 +++ auth_mellon_handler.c 2009-12-20 10:20:09.000000000 +0100 @@@@ -1899,9 +1899,9 @@@@ return HTTP_BAD_REQUEST; } /* Check that charset is sane */ - for (cp = psf_id; *cp; cp++) { + for (cp = charset; *cp; cp++) { if (!apr_isalnum(*cp) && (*cp != '-') && (*cp != '_')) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Bad repost query: invalid charset \"%s\"", charset); return HTTP_BAD_REQUEST; @ 1.3 log @Fix a XSS vulnerability @ text @d1 1 a1 1 $NetBSD$ @ 1.2 log @Update to 0.2.1: * Make SAML authentication assertion and Lasso session available in the environement. * Autogeneration of SP metadata. (Requires Lasso 2.2.2 or newer.) * Multiple IdP support, with discovery service. * Built in discovery service which tests the availability of each IdP, and uses the first available IdP. * Fix a mutex leak. * MellonSecureCookie option, which enables Secure + HttpOnly flags on session cookies. * Better handling of logout request when the user is already logged out. @ text @d1 14 a14 114 $NetBSD: patch-aa,v 1.1 2009/03/02 16:47:42 manu Exp $ Index: auth_mellon_cookie.c =================================================================== --- auth_mellon_cookie.c (revision 39) +++ auth_mellon_cookie.c (working copy) @@@@ -140,13 +140,18 @@@@ { const char *name; char *cookie; + int secure_cookie; if (id == NULL) return; + secure_cookie = ((am_dir_cfg_rec *)am_get_dir_cfg(r))->secure; name = am_cookie_name(r); - cookie = apr_psprintf(r->pool, "%s=%s; Version=1; Path=/", name, id); + cookie = apr_psprintf(r->pool, + "%s=%s; Version=1; Path=/; Domain=%s%s;", + name, id, r->server->server_hostname, + secure_cookie ? "; HttpOnly; secure" : ""); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "cookie_set: %s", cookie); Index: auth_mellon.h =================================================================== --- auth_mellon.h (revision 39) +++ auth_mellon.h (working copy) @@@@ -127,6 +127,7 @@@@ am_decoder_t decoder; const char *varname; + int secure; apr_hash_t *require; apr_hash_t *envattr; const char *userattr; Index: README =================================================================== --- README (revision 39) +++ README (working copy) @@@@ -161,6 +161,13 @@@@ # Default: "cookie" MellonVariable "cookie" + # MellonSecureCookie enforces the HttpOnly and secure flags + # for the mod_mellon cookie + # Default: Off + MellonSecureCookie On + + # MellonSecureCookie enforces the HttpOnly and secure flags + # for the mod_mellon cookie # MellonUser selects which attribute we should use for the username. # The username is passed on to other apache modules and to the web # page the user visits. NAME_ID is an attribute which we set to @@@@ -257,7 +264,6 @@@@ # certificate for the IdP. # Default: None set. MellonIdPCAFile /etc/apache2/mellon/ca.pem - Index: auth_mellon_config.c =================================================================== --- auth_mellon_config.c (revision 39) +++ auth_mellon_config.c (working copy) @@@@ -39,6 +39,10 @@@@ */ static const char *default_cookie_name = "cookie"; +/* The default setting for cookie flags is to not enforce HttpOnly and secure + */ +static const int default_secure_cookie = 0; + /* This is the default IdP initiated login location * the MellonDefaultLoginPath configuration directive if you change this. */ @@@@ -352,6 +356,14 @@@@ " be 'mellon-cookie'." ), AP_INIT_TAKE1( + "MellonSecureCookie", + ap_set_flag_slot, + (void *)APR_OFFSETOF(am_dir_cfg_rec, secure), + OR_AUTHCFG, + "Whether the cookie set by auth_mellon should have HttpOnly and" + " secure flags set. Default is off." + ), + AP_INIT_TAKE1( "MellonUser", ap_set_string_slot, (void *)APR_OFFSETOF(am_dir_cfg_rec, userattr), @@@@ -480,6 +492,7 @@@@ dir->decoder = am_decoder_default; dir->varname = default_cookie_name; + dir->secure = default_secure_cookie; dir->require = apr_hash_make(p); dir->envattr = apr_hash_make(p); dir->userattr = default_user_attribute; @@@@ -541,6 +554,12 @@@@ add_cfg->varname : base_cfg->varname); + + new_cfg->secure = (add_cfg->secure != default_secure_cookie ? + add_cfg->secure : + base_cfg->secure); + + new_cfg->require = apr_hash_copy(p, (apr_hash_count(add_cfg->require) > 0) ? add_cfg->require : @ 1.1 log @Initial revision @ text @d1 1 a1 1 $NetBSD$ @ 1.1.1.1 log @mod_auth_mellon is a authentication module for apache. It authenticates the user against a SAML 2.0 IdP, and and grants access to directories depending on attributes received from the IdP. @ text @@