Skip to content

authelia-server.conf: allow pipe character in URI #213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

authelia-server.conf: allow pipe character in URI #213

wants to merge 1 commit into from

Conversation

@GabrielNagy
Copy link

@GabrielNagy GabrielNagy commented Feb 16, 2022

linuxserver.io

  • I have read the contributing guideline and understand that I have made the correct modifications

Description:

The characters in the regex used for mitigating CVE-2021-32637 are not exhaustive since query strings seem to not always conform to the RFC3986, this is also mentioned in the security advisory for the CVE.

For example, attempting to delete multiple torrents in the qBittorrent WebUI results in an URL like the following:

confirmdeletion.html?hashes=HASH1|HASH2

This URL is valid and parsable by Authelia, but due to the regex it gets redirected infinitely.

To fix this, also allow pipe characters in the request URI.

Benefits of this PR and context:

The regex was introduced in 224abb6 to work around a CVE. The security advisory notes that the regex is not exhaustive, and there are projects (such as qbittorrent) that use pipe characters in URIs, which are valid and parsable by Authelia.

How Has This Been Tested?

After the regex modification, URLs with pipe characters in them are no longer redirected to the auth endpoint.

Source / References:

Original PR: #130
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-32637

@GabrielNagy
authelia-server.conf: allow pipe character in URI
7ffab2f 
The characters in the regex used for mitigating CVE-2021-32637 are not
exhaustive since query strings seem to not always conform to the
RFC3986, this is also mentioned in the security advisory for the CVE.[1]

For example, attempting to delete multiple torrents in the qBittorrent
WebUI results in an URL like the following:

    confirmdeletion.html?hashes=HASH1|HASH2

This URL is valid and parsable by Authelia, but due to the regex it gets
redirected infinitely.

To fix this, also allow pipe characters in the request URI.

[1] GHSA-68wm-pfjf-wqp6
github-actions[bot]
github-actions bot reviewed Feb 16, 2022
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for opening this pull request! Be sure to follow the pull request template!

@LinuxServer-CI
Copy link
Contributor

LinuxServer-CI commented Feb 16, 2022

I am a bot, here are the test results for this PR:
https://ci-tests.linuxserver.io/lspipepr/swag/1.23.0-pkg-d5983fc1-pr-213/index.html
https://ci-tests.linuxserver.io/lspipepr/swag/1.23.0-pkg-d5983fc1-pr-213/shellcheck-result.xml

@aptalca
Copy link
Member

aptalca commented Feb 16, 2022
edited
Loading

Thanks, but SWAG (actually our nginx baseimage) is about to go through some major restructuring so we're holding off on merging new PRs in the meantime. I believe as part of the restructuring, we'll remove that regex line as by now everyone should have updated their Authelia to a version with the proper fix. If not they likely won't update SWAG either so no issues there.

For now, you can manually edit that line in your instance.

@github-actions
Copy link

github-actions bot commented Mar 19, 2022

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@james-d-elliott james-d-elliott mentioned this pull request May 12, 2022
Closed
1 task
@aptalca
Copy link
Member

aptalca commented Sep 22, 2022

should be fixed in #169

@aptalca aptalca closed this Sep 22, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 5, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

no-pr-activity

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@GabrielNagy @LinuxServer-CI @aptalca