Skip to content
This repository was archived by the owner on Jan 28, 2020. It is now read-only.

Commit 6204142

Browse files
committed
Fix redirect URL validation bypass
It turns out that browsers silently convert backslash characters into forward slashes, while apr_uri_parse() does not. This mismatch allows an attacker to bypass the redirect URL validation by using an URL like: https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/ mod_auth_mellon will assume that it is a relative URL and allow the request to pass through, while the browsers will use it as an absolute url and redirect to https://malicious.example.org/ . This patch fixes this issue by rejecting all redirect URLs with backslashes.
1 parent 7bc4367 commit 6204142

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

Diff for: auth_mellon_util.c

+7
Original file line numberDiff line numberDiff line change
@@ -927,6 +927,13 @@ int am_check_url(request_rec *r, const char *url)
927927
"Control character detected in URL.");
928928
return HTTP_BAD_REQUEST;
929929
}
930+
if (*i == '\\') {
931+
/* Reject backslash character, as it can be used to bypass
932+
* redirect URL validation. */
933+
AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
934+
"Backslash character detected in URL.");
935+
return HTTP_BAD_REQUEST;
936+
}
930937
}
931938

932939
return OK;

0 commit comments

Comments
 (0)