diff options
Diffstat (limited to 'www/ap2-auth-mellon')
| -rw-r--r-- | www/ap2-auth-mellon/MESSAGE | 19 | ||||
| -rw-r--r-- | www/ap2-auth-mellon/Makefile | 6 | ||||
| -rw-r--r-- | www/ap2-auth-mellon/distinfo | 12 | ||||
| -rw-r--r-- | www/ap2-auth-mellon/patches/patch-0274 | 55 | ||||
| -rw-r--r-- | www/ap2-auth-mellon/patches/patch-0347 | 69 |
5 files changed, 24 insertions, 137 deletions
diff --git a/www/ap2-auth-mellon/MESSAGE b/www/ap2-auth-mellon/MESSAGE index 02169a003ea..e1a3ad34e0e 100644 --- a/www/ap2-auth-mellon/MESSAGE +++ b/www/ap2-auth-mellon/MESSAGE @@ -1,12 +1,26 @@ =========================================================================== -$NetBSD: MESSAGE,v 1.3 2015/04/01 14:08:13 manu Exp $ +$NetBSD: MESSAGE,v 1.4 2018/05/04 02:53:38 manu Exp $ In order to use this module in your Apache installation, you need to add the following to your httpd.conf file: LoadModule auth_mellon_module lib/httpd/mod_auth_mellon.so -If upgrading from version prior 0.6.0, please not the following +If upgrading from version prior 0.14.0, please note the following +backward-incompatible change: + +* This version switches the default signature algorithm used when + signing messages from rsa-sha1 to rsa-sha256. If your IdP does not + allow messages to be signed with that algorithm, you need to add a + setting switching back to the old algorithm: + + MellonSignatureMethod rsa-sha1 + + Note that this only affects messages sent from mod_auth_mellon to your + IdP. It does not affect authentication responses or other messages + sent from your IdP to mod_auth_mellon. + +If upgrading from version prior 0.6.0, please note the following backward-incompatible changes: * The POST replay functionality has been disabled by default, and the @@ -29,5 +43,4 @@ backward-incompatible changes: startup. (Apache can normally create files in that directory during startup.) - =========================================================================== diff --git a/www/ap2-auth-mellon/Makefile b/www/ap2-auth-mellon/Makefile index e73b6948959..914557bb6da 100644 --- a/www/ap2-auth-mellon/Makefile +++ b/www/ap2-auth-mellon/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.43 2018/04/29 21:32:07 adam Exp $ +# $NetBSD: Makefile,v 1.44 2018/05/04 02:53:38 manu Exp $ -DISTNAME= mod_auth_mellon-0.12.0 +DISTNAME= mod_auth_mellon-0.14.0 PKGNAME= ${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/g} -PKGREVISION= 8 +#PKGREVISION= 1 CATEGORIES= www security MASTER_SITES= ${MASTER_SITE_GITHUB:=UNINETT/}/mod_auth_mellon/releases/download/v${DISTNAME:C/.*-//}/ diff --git a/www/ap2-auth-mellon/distinfo b/www/ap2-auth-mellon/distinfo index f3eec251ed4..ef734f83d5e 100644 --- a/www/ap2-auth-mellon/distinfo +++ b/www/ap2-auth-mellon/distinfo @@ -1,8 +1,6 @@ -$NetBSD: distinfo,v 1.18 2017/03/23 17:07:01 joerg Exp $ +$NetBSD: distinfo,v 1.19 2018/05/04 02:53:38 manu Exp $ -SHA1 (mod_auth_mellon-0.12.0.tar.gz) = 3d5cd4137154a7c848d8f3121e6497b88dc5f23e -RMD160 (mod_auth_mellon-0.12.0.tar.gz) = 7ef278de6f4d0f0669d99c113706dc63d64f6fbc -SHA512 (mod_auth_mellon-0.12.0.tar.gz) = 91e47509cfab9c6b472226aea79ff0120e71f80262d3b17a31ac691af4aacf58016741255409ec3272e54849efcde7c04f76dcc9670ee921503c8589656e8244 -Size (mod_auth_mellon-0.12.0.tar.gz) = 136754 bytes -SHA1 (patch-0274) = b5dfdd4b944c3d2c3bf47cfb97869aa57c32ea68 -SHA1 (patch-0347) = d14d5a20d05fae3962e5168a0b23ab55835452ca +SHA1 (mod_auth_mellon-0.14.0.tar.gz) = 4a93f8b093e1dea20e8a286931693c614903f2d9 +RMD160 (mod_auth_mellon-0.14.0.tar.gz) = 71a25b4fb1e9a6183a51225b588b10d330d84903 +SHA512 (mod_auth_mellon-0.14.0.tar.gz) = db1bf70c234fe89914b1bb34fc6afb5b901193a8c8c7e9946485a3e20a7d129c36427717eab53764edf5a5cff5c45dfe412e400cb1f50c49ef24dbbfd6ecbf25 +Size (mod_auth_mellon-0.14.0.tar.gz) = 948785 bytes diff --git a/www/ap2-auth-mellon/patches/patch-0274 b/www/ap2-auth-mellon/patches/patch-0274 deleted file mode 100644 index 6b5bd91290a..00000000000 --- a/www/ap2-auth-mellon/patches/patch-0274 +++ /dev/null @@ -1,55 +0,0 @@ -$NetBSD: patch-0274,v 1.2 2016/10/27 12:53:13 manu Exp $ - -From fe0eb56e29f89513b2dcf3c222fa3a2e8a09383f Mon Sep 17 00:00:00 2001 -From: Olav Morken <olav.morken@uninett.no> -Date: Mon, 14 Mar 2016 09:47:48 +0100 -Subject: [PATCH 274/274] Return 500 Internal Server Error if probe discovery - fails. - -If we don't, we can end up sending an authentication request to an IdP -that is not in the MellonProbeDiscoveryIdP list, which is probably not -what the user wants. - -Patch by Emmanuel Dreyfus. ---- - README | 3 +++ - auth_mellon_handler.c | 10 +++++++++- - 2 files changed, 12 insertions(+), 1 deletion(-) - -diff --git a/README b/README -index 638329c..4e4f229 100644 ---- README -+++ README -@@ -471,6 +471,9 @@ MellonPostCount 100 - - # MellonProbeDiscoveryIdP can be used to restrict the - # list of IdP queried by the IdP probe discovery service. -+ # If probe discovery fails and this is provided, an -+ # HTTP error 500 is returned, instead of proceeding -+ # with first available IdP. - # - # Default unset, which means that all configured IdP are - # queried. -diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c -index 7f4b73a..a72e1ca 100644 ---- auth_mellon_handler.c -+++ auth_mellon_handler.c -@@ -3316,9 +3316,17 @@ static int am_handle_probe_discovery(request_rec *r) { - } - - /* -- * On failure, try default -+ * On failure, fail if a MellonProbeDiscoveryIdP -+ * list was provided, otherwise try first IdP. - */ - if (disco_idp == NULL) { -+ if (!apr_is_empty_table(cfg->probe_discovery_idp)) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "probeDiscovery failed and non empty " -+ "MellonProbeDiscoveryIdP was provided."); -+ return HTTP_INTERNAL_SERVER_ERROR; -+ } -+ - disco_idp = am_first_idp(r); - if (disco_idp == NULL) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, diff --git a/www/ap2-auth-mellon/patches/patch-0347 b/www/ap2-auth-mellon/patches/patch-0347 deleted file mode 100644 index 215272dbd4e..00000000000 --- a/www/ap2-auth-mellon/patches/patch-0347 +++ /dev/null @@ -1,69 +0,0 @@ -$NetBSD: patch-0347,v 1.2 2016/10/27 12:53:13 manu Exp $ - -From 78fe67641918016a6108e325be351156999109c9 Mon Sep 17 00:00:00 2001 -From: Emmanuel Dreyfus <manu@netbsd.org> -Date: Tue, 18 Oct 2016 01:42:53 +0200 -Subject: [PATCH] Do not redirect unauthenticated AJAX request to the IdP - -When MellonEnable is "auth" and we get an unauthenticated AJAX -request (identified by the X-Request-With: XMLHttpRequest HTTP -header), fail with HTTP code 403 Forbidden instead of redirecting -to the IdP. This saves resources, as the client has no opportunity -to interract with the user to complete authentification. ---- - README | 6 ++++++ - auth_mellon_handler.c | 14 ++++++++++++++ - 2 files changed, 20 insertions(+) - -diff --git README README -index ec323ab..5960cc8 100644 ---- README -+++ README -@@ -166,6 +166,12 @@ MellonPostCount 100 - # return a 403 Forbidden error. If he isn't authenticated - # then we will redirect him to the login page of the IdP. - # -+ # There is a special handling of AJAX requests, that are -+ # identified by the "X-Request-With: XMLHttpRequest" HTTP -+ # header. Since no user interaction can happen there, -+ # we always fail unauthenticated (not logged in) requests -+ # with a 403 Forbidden error without redirecting to the IdP. -+ # - # Default: MellonEnable "off" - MellonEnable "auth" - -diff --git auth_mellon_handler.c auth_mellon_handler.c -index 0457189..a55828a 100644 ---- auth_mellon_handler.c -+++ auth_mellon_handler.c -@@ -3491,6 +3491,7 @@ int am_auth_mellon_user(request_rec *r) - am_dir_cfg_rec *dir = am_get_dir_cfg(r); - int return_code = HTTP_UNAUTHORIZED; - am_cache_entry_t *session; -+ const char *ajax_header; - - if (r->main) { - /* We are a subrequest. Trust the main request to have -@@ -3534,6 +3535,19 @@ int am_auth_mellon_user(request_rec *r) - am_release_request_session(r, session); - } - -+ /* -+ * If this is an AJAX request, we cannot proceed to the IdP, -+ * Just fail early to save our resources -+ */ -+ ajax_header = apr_table_get(r->headers_in, "X-Request-With"); -+ if (ajax_header != NULL && -+ strcmp(ajax_header, "XMLHttpRequest") == 0) { -+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, -+ "Deny unauthenticated X-Request-With XMLHttpRequest " -+ "(AJAX) request"); -+ return HTTP_FORBIDDEN; -+ } -+ - #ifdef HAVE_ECP - /* - * If PAOS set a flag on the request indicating we're --- -2.3.2 - |