release 2.4.12.2: CVE-2022-23527 prevent open redirect in default setup

i.e. when OIDCRedirectURLsAllowed is not configured, see:
GHSA-q6f2-285m-gr53

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

ChangeLog

@@ -1,3 +1,8 @@
+12/13/2022
+- CVE-2022-23527: prevent open redirect in default setup when OIDCRedirectURLsAllowed is not configured
+  see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
+- release 2.4.12.2
+
 12/08/2022
 - simplify redis context code
 - bump to 2.4.12.2rc1

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.12.2rc1],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.12.2],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

src/mod_auth_openidc.c

@@ -2537,15 +2537,15 @@ apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
 		oidc_error(r, "%s: %s", *err_str, *err_desc);
 		return FALSE;
 	}
-
-	if ((strstr(url, "/%09") != NULL) || (strstr(url, "/%2f") != NULL)
-			|| (strstr(url, "/%68") != NULL) || (strstr(url, "/http:") != NULL)
-			|| (strstr(url, "/https:") != NULL) || (strstr(url, "/javascript:") != NULL)
+	if (       (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL)
+			|| (strstr(url, "/\t") != NULL)
+			|| (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL)
+			|| (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL)
 			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL)
 			|| (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL)
 			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/ｰ") != NULL)
-			|| (strstr(url, "/<") != NULL) || (strstr(url, "%01javascript:") != NULL)
-			|| (strstr(url, "/%5c") != NULL)) {
+			|| (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL)
+			|| (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) {
 		*err_str = apr_pstrdup(r->pool, "Invalid URL");
 		*err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
 		oidc_error(r, "%s: %s", *err_str, *err_desc);

src/mod_auth_openidc.h

@@ -853,6 +853,7 @@ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const ap
 char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
 apr_byte_t oidc_enabled(request_rec *r);
 char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params);
+char* oidc_util_strcasestr(const char *s1, const char *s2);
 
 /* HTTP header constants */
 #define OIDC_HTTP_HDR_COOKIE                            "Cookie"

src/util.c

@@ -434,7 +434,7 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
     return output;
 }
 
-static char* oidc_util_strcasestr(const char *s1, const char *s2) {
+char* oidc_util_strcasestr(const char *s1, const char *s2) {
 	const char *s = s1;
 	const char *p = s2;
 	do {

test/open-redirect-payload-list.txt

@@ -1,4 +1,5 @@
 /%09/example.com
+/	/example.com
 /%2f%2fexample.com
 /%2f%2f%2fbing.com%2f%3fwww.omise.co
 /%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/