Fix open redirect starting with a slash and backslash

[oss-aimoto]

Fix open redirect to the following cases.

http://rp.example.co.jp/oidc/redirect_uri?logout=/\phishing-site.example.com/logout.html

When the response HTTP header is 'Location: /\phishingsite.example.com/logout.html', the browser redirects to 'phishing-site.example.com'

[abartlet]

Would it not be even better to just have a server-side configured whitelist rather than trying to enumerate badness and ban it? Surely for a given configuration there will only be a few, mostly likely one, logout URL to redirect to anyway?

[oss-aimoto]

Would it not be even better to just have a server-side configured
whitelist rather than trying to enumerate badness and ban it?

I feel the same way.

There are other problems with checking the Redirect URL.
X-forwarded-Host is used to check the hostname.
If a header is injected, it can be redirected to an arbitrary URL.
It should only be accepted from trusted hosts such as mod_remote_ip.

Is this a new issue better?

[zandbelt]

a new feature request issue is best for tracking support for whitelisted logout URLs

[abartlet]

This patch was created in response to CVE-2019-3877 in mod_auth_mellon, so shouldn't there be a CVE issued?

Red Hat is quite responsive issues CVEs. Just mail [email protected].

[abartlet]

a new feature request issue is best for tracking support for whitelisted logout URLs

Where are those tracked? Just as mails on the mailing list? The issue tracker seems to have been closed.

[ret2libc]

So, this is a different flaw than CVE-2019-14857, isn't it? Anybody has anything against me requesting a new CVE to MITRE? (MITRE is slightly preferred than Red Hat in this case, to avoid possible duplicates).

[zandbelt]

sure, go ahead

[ret2libc]

CVE-2019-20479 has been assigned to this issue.

[zandbelt]

the whitelisting of logout URLs is now in release 2.4.3, https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.3/auth_openidc.conf#L837-L844