Prevent redirect to URLs that begin with '///'

Visiting a logout URL like this: https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html would have redirected the user to fishing-site.example.com With the patch, this URL would be rejected. Fixes: CVE-2021-3639
latchset · Jul 29, 2021 · 42a1126 · 42a1126
1 parent ec27b39
commit 42a1126
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
 {
     const char *i;
 
+    if (url == NULL) {
+        return HTTP_BAD_REQUEST;
+    }
+
     for (i = url; *i; i++) {
         if (*i >= 0 && *i < ' ') {
             /* Deny all control-characters. */
@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
         }
     }
 
+    if (strstr(url, "///") == url) {
+        AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
+                          "URL starts with '///'");
+        return HTTP_BAD_REQUEST;
+    }
+
     return OK;
 }