CVE-2019-13038: Open Redirection issue · Issue #35 · Uninett/mod_auth_mellon

I can confirm that @awakenine 's fix works. I also can’t think of a reason to accept a ReturnTo argument that contains a scheme but no hostname in the URI, but maybe others could. If there is no use-case for such argument, I would vote for merging the patch.

OTOH, I don’t completely agree with removal of the backslash check. Maybe my knowledge of the codebase is still not so deep, but it appears that the backslash check is sort of orthogonal to the parsing and moreover am_check_url is used in fewer locations than am_validate_redirect_url and the functions are not codependent.

At the very least, the commit message of the patch that touches am_validate_redirect_url should be a bit better.

As I understand from this conversation backslash check was introduced as a fix to previous bypass. Now, it should be covered with hostname check because apr_uri_parse() will parse any http and https URL without :// as URI [scheme]:[path], and it will cause HTTP_BAD_REQUEST.

uri: 'http:/\example.com/page.html' (ret=0)
    scheme: 'http'
    hostinfo: '(null)'
    user: '(null)'
    password: '(null)'
    hostname: '(null)'
    port_str: '(null)'
    path: '/\example.com/page.html'
    query: '(null)'
    fragment: '(null)'
    port: '0'
    is_initialized: '1'
    dns_looked_up: '0'
    dns_resolved: '0'
psznewuri: 'http:/\example.com/page.html'

Please let me know if you can bypass that.