Skip to content

Commit

Permalink
release 2.4.15.2: fix DoS CVE-2024-24814
Browse files Browse the repository at this point in the history
fix CVE-2024-24814: DoS when `OIDCSessionType client-cookie` is set and
a crafted Cookie header is supplied
GHSA-hxr6-w4gc-7vvv

Signed-off-by: Hans Zandbelt <[email protected]>
  • Loading branch information
zandbelt committed Feb 6, 2024
1 parent 388e3ba commit 4022c12
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 17 deletions.
5 changes: 5 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
02/13/2024
- CVE-2024-24814: prevent DoS when `OIDCSessionType client-cookie` is set and a crafted Cookie header is supplied
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
- release 2.4.15.2

01/31/2024
- avoid crash when Forwarded is not present but OIDCXForwardedHeaders is configured for it; see #1171; thanks @daviddpd
- bump to 2.4.15.2dev
Expand Down
2 changes: 1 addition & 1 deletion configure.ac
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
AC_INIT([mod_auth_openidc],[2.4.15.2dev],[[email protected]])
AC_INIT([mod_auth_openidc],[2.4.15.2],[[email protected]])

AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())

Expand Down
33 changes: 17 additions & 16 deletions src/util.c
Original file line number Diff line number Diff line change
Expand Up @@ -1559,23 +1559,24 @@ static char *oidc_util_get_chunk_cookie_name(request_rec *r, const char *cookieN
* get a cookie value that is split over a number of chunked cookies
*/
char *oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName, int chunkSize) {
char *cookieValue = NULL;
char *chunkValue = NULL;
int i = 0;
if (chunkSize == 0) {
cookieValue = oidc_util_get_cookie(r, cookieName);
} else {
int chunkCount = oidc_util_get_chunked_count(r, cookieName);
if (chunkCount > 0) {
cookieValue = "";
for (i = 0; i < chunkCount; i++) {
chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i));
if (chunkValue != NULL)
cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue, chunkValue);
}
} else {
cookieValue = oidc_util_get_cookie(r, cookieName);
char *cookieValue = NULL, *chunkValue = NULL;
int chunkCount = 0, i = 0;
if (chunkSize == 0)
return oidc_util_get_cookie(r, cookieName);
chunkCount = oidc_util_get_chunked_count(r, cookieName);
if (chunkCount == 0)
return oidc_util_get_cookie(r, cookieName);
if ((chunkCount < 0) || (chunkCount > 99)) {
oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
return NULL;
}
for (i = 0; i < chunkCount; i++) {
chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i));
if (chunkValue == NULL) {
oidc_warn(r, "could not find chunk %d; aborting", i);
break;
}
cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue);
}
return cookieValue;
}
Expand Down

0 comments on commit 4022c12

Please sign in to comment.