diff options
-rw-r--r-- | debian/changelog | 17 | ||||
-rw-r--r-- | debian/compat | 2 | ||||
-rw-r--r-- | debian/control | 9 | ||||
-rw-r--r-- | debian/gbp.conf | 3 | ||||
-rw-r--r-- | debian/patches/0002-Suppress-CGI-warnings-from-param-in-list-context.patch | 87 | ||||
-rw-r--r-- | debian/patches/0003-Add-missing-word-in-generic-help-for-remember-checkb.patch | 35 | ||||
-rw-r--r-- | debian/patches/0004-Set-secure-cookie-flag-properly-with-WebAuthSSLRetur.patch | 56 | ||||
-rw-r--r-- | debian/patches/0005-Correctly-honor-WebKdcTokenMaxTTL-for-request-tokens.patch | 25 | ||||
-rw-r--r-- | debian/patches/series | 4 | ||||
-rwxr-xr-x | debian/rules | 8 | ||||
-rw-r--r-- | debian/watch | 2 | ||||
-rw-r--r-- | modules/webauth/mod_webauth.c | 7 | ||||
-rw-r--r-- | modules/webkdc/mod_webkdc.c | 4 | ||||
-rw-r--r-- | perl/lib/WebLogin.pm | 26 | ||||
-rw-r--r-- | weblogin/templates/help.html | 12 |
15 files changed, 263 insertions, 34 deletions
diff --git a/debian/changelog b/debian/changelog index 61b703e9..4281fa9f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,20 @@ +webauth (4.7.0-6) unstable; urgency=medium + + * Orphan this package, since I no longer use it and cannot therefore + test or maintain it properly. It has also been orphaned upstream. + * Set Secure cookie flag properly with WebAuthSSLReturn. + * Correctly honor WebKdcTokenMaxTTL for request tokens. + * Suppress CGI warnings from using param in list context in WebLogin. + * Add missing word in default WebLogin help text. (Closes: #783289) + * Update debhelper compatibility level to V11. + - Remove now-unnecessary explicit dependency on dh-autoreconf. + * Switch to the DEP-14 branch layout and update debian/gbp.conf and + Vcs-Git accordingly. + * Update standards version to 4.1.3 (no changes required). + * Use https URL in debian/watch. + + -- Russ Allbery <rra@debian.org> Thu, 28 Dec 2017 17:12:37 -0800 + webauth (4.7.0-5) unstable; urgency=medium * Update build dependency to libssl-dev (OpenSSL 1.1). (Closes: #859788) diff --git a/debian/compat b/debian/compat index ec635144..b4de3947 100644 --- a/debian/compat +++ b/debian/compat @@ -1 +1 @@ -9 +11 diff --git a/debian/control b/debian/control index e9e0afd7..c82e0797 100644 --- a/debian/control +++ b/debian/control @@ -1,12 +1,11 @@ Source: webauth Section: web Priority: optional -Maintainer: Russ Allbery <rra@debian.org> +Maintainer: Debian QA Group <packages@qa.debian.org> Build-Depends: apache2-dev (>> 2.4.4-3~), - debhelper (>= 9), + debhelper (>= 11), dh-apache2, - dh-autoreconf, libapr1-dev, libaprutil1-dev, libauthen-oath-perl, @@ -41,9 +40,9 @@ Build-Depends: libxml-parser-perl, perl, pkg-config, -Standards-Version: 4.0.1 +Standards-Version: 4.1.3 Homepage: https://webauth.stanford.edu/ -Vcs-Git: https://git.eyrie.org/git/kerberos/webauth.git -b debian +Vcs-Git: https://git.eyrie.org/git/kerberos/webauth.git -b debian/master Vcs-Browser: https://git.eyrie.org/?p=kerberos/webauth.git Package: libapache2-mod-webauth diff --git a/debian/gbp.conf b/debian/gbp.conf index b60e797a..7cd1a8cb 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -3,4 +3,5 @@ # debian branch). Tell git-buildpackage about this layout. [DEFAULT] -debian-branch = debian +debian-branch = debian/master +upstream-branch = upstream/latest diff --git a/debian/patches/0002-Suppress-CGI-warnings-from-param-in-list-context.patch b/debian/patches/0002-Suppress-CGI-warnings-from-param-in-list-context.patch new file mode 100644 index 00000000..ff832f34 --- /dev/null +++ b/debian/patches/0002-Suppress-CGI-warnings-from-param-in-list-context.patch @@ -0,0 +1,87 @@ +From: Robert Bradley <robert.bradley@it.ox.ac.uk> +Date: Sat, 28 Nov 2015 21:36:39 -0800 +Subject: Suppress CGI warnings from param in list context + +Force scalar context to eliminate the new warning from the CGI +module: + +FastCGI: server "/usr/share/webkdc/cgi/login.fcgi" stderr: CGI::param +called in list context from package WebLogin line 1615, this can lead +to vulnerabilities. See the warning in "Fetching the value or values +of a single named parameter" at /usr/share/perl5/CGI.pm line 436. +--- + perl/lib/WebLogin.pm | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/perl/lib/WebLogin.pm b/perl/lib/WebLogin.pm +index 004459c..c657b02 100644 +--- a/perl/lib/WebLogin.pm ++++ b/perl/lib/WebLogin.pm +@@ -195,7 +195,7 @@ sub cgiapp_prerun { + + # Store the CPT if one was already generated, so that we have one place to + # check. +- $self->param ('CPT', $self->query->param ('CPT')); ++ $self->param ('CPT', scalar $self->query->param ('CPT')); + + # Work around a bug in CGI that doesn't always set the script name. + $self->query->{'.script_name'} = $ENV{SCRIPT_NAME}; +@@ -433,7 +433,7 @@ sub print_headers { + + # Set the test cookie unless it's already set. + unless ($q->cookie ($self->param ('test_cookie'))) { +- my $cookie = $q->cookie (-name => $self->param ('test_cookie'), ++ my $cookie = $q->cookie (-name => scalar $self->param ('test_cookie'), + -value => 'True', + -secure => $secure, + -httponly => 1); +@@ -1096,8 +1096,8 @@ sub print_remuser_redirect { + $self->template_params ({err_msg => $errmsg}); + return $self->print_error_page; + } else { +- $uri .= "?RT=" . $self->fix_token ($q->param ('RT')) . +- ";ST=" . $self->fix_token ($q->param ('ST')); ++ $uri .= "?RT=" . $self->fix_token (scalar $q->param ('RT')) . ++ ";ST=" . $self->fix_token (scalar $q->param ('ST')); + print STDERR "redirecting to $uri\n" if $self->param ('debug'); + return $self->redirect ($uri); + } +@@ -1627,21 +1627,21 @@ sub setup_kdc_request { + my $q = $self->query; + + # Set up the parameters to the WebKDC request. +- $self->{request}->service_token ($self->fix_token ($q->param ('ST'))) ++ $self->{request}->service_token ($self->fix_token (scalar $q->param ('ST'))) + if $q->param ('ST'); +- $self->{request}->request_token ($self->fix_token ($q->param ('RT'))) ++ $self->{request}->request_token ($self->fix_token (scalar $q->param ('RT'))) + if $q->param ('RT'); +- $self->{request}->pass ($q->param ('password')) ++ $self->{request}->pass (scalar $q->param ('password')) + if $q->param ('password'); +- $self->{request}->otp ($q->param ('otp')) ++ $self->{request}->otp (scalar $q->param ('otp')) + if $q->param ('otp'); +- $self->{request}->device_id ($q->param ('device_id')) ++ $self->{request}->device_id (scalar $q->param ('device_id')) + if $q->param ('device_id'); +- $self->{request}->otp_type ($q->param ('factor_type')) ++ $self->{request}->otp_type (scalar $q->param ('factor_type')) + if $q->param ('factor_type'); +- $self->{request}->authz_subject ($q->param ('authz_subject')) ++ $self->{request}->authz_subject (scalar $q->param ('authz_subject')) + if $q->param ('authz_subject'); +- $self->{request}->login_state ($q->param ('LS')) ++ $self->{request}->login_state (scalar $q->param ('LS')) + if $q->param ('LS'); + + # For the initial login page and password change page, we may need to map +@@ -1662,7 +1662,7 @@ sub setup_kdc_request { + } + $q->param ('username', $username); + } +- $self->{request}->user ($q->param ('username')) if $q->param ('username'); ++ $self->{request}->user (scalar $q->param ('username')) if $q->param ('username'); + + # Check for replays or rate limiting of failed authentications for the + # initial login page, the multifactor login page, and the multifactor_send diff --git a/debian/patches/0003-Add-missing-word-in-generic-help-for-remember-checkb.patch b/debian/patches/0003-Add-missing-word-in-generic-help-for-remember-checkb.patch new file mode 100644 index 00000000..0e98ac07 --- /dev/null +++ b/debian/patches/0003-Add-missing-word-in-generic-help-for-remember-checkb.patch @@ -0,0 +1,35 @@ +From: Russ Allbery <eagle@eyrie.org> +Date: Sun, 26 Apr 2015 18:27:31 -0700 +Subject: Add missing word in generic help for remember checkbox + +There was a missing "neither" that made the help documentation +confusing. Reported in Debian Bug#783289. + +Change-Id: Ie1e3c1201cd3968fdebb592bf9bc86c95df36f79 +--- + weblogin/templates/help.html | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/weblogin/templates/help.html b/weblogin/templates/help.html +index 7847a24..08eb606 100644 +--- a/weblogin/templates/help.html ++++ b/weblogin/templates/help.html +@@ -85,12 +85,12 @@ + <h2><a name="remember"></a>What if I don't use this machine + regularly?</h2> + +- <p>Uncheck the check box. WebLogin will then set up single sign-on +- for this browser session nor (if applicable) store any multifactor +- authentication information. Therefore, you will be prompted to log +- in the next time you are required to authenticate as though you had +- not previously visited a WebAuth-protected site during this web +- browser session.</p> ++ <p>Uncheck the check box. WebLogin will then neither set up single ++ sign-on for this browser session nor (if applicable) store any ++ multifactor authentication information. Therefore, you will be ++ prompted to log in the next time you are required to authenticate as ++ though you had not previously visited a WebAuth-protected site ++ during this web browser session.</p> + + <h2><a name="help"></a>Help! What did I do wrong?</h2> + diff --git a/debian/patches/0004-Set-secure-cookie-flag-properly-with-WebAuthSSLRetur.patch b/debian/patches/0004-Set-secure-cookie-flag-properly-with-WebAuthSSLRetur.patch new file mode 100644 index 00000000..487644b9 --- /dev/null +++ b/debian/patches/0004-Set-secure-cookie-flag-properly-with-WebAuthSSLRetur.patch @@ -0,0 +1,56 @@ +From: Russ Allbery <eagle@eyrie.org> +Date: Sun, 9 Aug 2015 10:31:15 -0700 +Subject: Set secure cookie flag properly with WebAuthSSLReturn + +If WebAuthSSLReturn is set to true, we may see non-SSL connections +that are SSL from the perspective of the browser (such as a WebAuth +server behind an L7 load balancer that does SSL termination). In +this case, we still want to set the secure flag on the cookie so that +the browser properly restricts it to SSL connections. + +Trigger setting the secure flag off the combination of whether the +request is SSL and whether WebAuthSSLReturn is set, rather than +just the former. +--- + modules/webauth/mod_webauth.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/modules/webauth/mod_webauth.c b/modules/webauth/mod_webauth.c +index e938c91..350683c 100644 +--- a/modules/webauth/mod_webauth.c ++++ b/modules/webauth/mod_webauth.c +@@ -234,6 +234,7 @@ nuke_cookie(MWA_REQ_CTXT *rc, const char *name, int if_set) + { + char *cookie; + const char *path = "/"; ++ bool is_secure = is_https(rc->r) || rc->dconf->ssl_return; + + if (if_set && find_cookie(rc, name) == NULL) + return; +@@ -244,7 +245,7 @@ nuke_cookie(MWA_REQ_CTXT *rc, const char *name, int if_set) + "%s=; path=%s; expires=%s;%s", + name, path, + "Thu, 26-Mar-1998 00:00:01 GMT", +- is_https(rc->r) ? "secure" : ""); ++ is_secure ? "secure" : ""); + if (rc->sconf->debug) + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, rc->r->server, + "mod_webauth: nuking cookie(%s): (%s)", +@@ -305,6 +306,8 @@ static void + fixup_setcookie(MWA_REQ_CTXT *rc, const char *name, const char *value, + const char *path) + { ++ bool is_secure = is_https(rc->r) || rc->dconf->ssl_return; ++ + if (path == NULL) + path = "/"; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, rc->r->server, +@@ -317,7 +320,7 @@ fixup_setcookie(MWA_REQ_CTXT *rc, const char *name, const char *value, + name, + value, + path, +- is_https(rc->r) ? "; secure" : "", ++ is_secure ? "; secure" : "", + rc->sconf->httponly ? "; HttpOnly" : ""); + } + diff --git a/debian/patches/0005-Correctly-honor-WebKdcTokenMaxTTL-for-request-tokens.patch b/debian/patches/0005-Correctly-honor-WebKdcTokenMaxTTL-for-request-tokens.patch new file mode 100644 index 00000000..b64c52db --- /dev/null +++ b/debian/patches/0005-Correctly-honor-WebKdcTokenMaxTTL-for-request-tokens.patch @@ -0,0 +1,25 @@ +From: Russ Allbery <eagle@eyrie.org> +Date: Wed, 25 Nov 2015 14:42:24 -0800 +Subject: Correctly honor WebKdcTokenMaxTTL for request tokens + +--- + modules/webkdc/mod_webkdc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/modules/webkdc/mod_webkdc.c b/modules/webkdc/mod_webkdc.c +index e570961..0ecde8f 100644 +--- a/modules/webkdc/mod_webkdc.c ++++ b/modules/webkdc/mod_webkdc.c +@@ -990,9 +990,11 @@ parse_request_token(MWK_REQ_CTXT *rc, const char *token, + /* Copy the token and do some additional checks. */ + *rt = &data->token.request; + expiration = (*rt)->creation + rc->sconf->token_max_ttl; +- if (expiration < time(NULL)) ++ if (expiration < time(NULL)) { + set_errorResponse(rc, WA_PEC_REQUEST_TOKEN_STALE, + "request token was stale", mwk_func, false); ++ return MWK_ERROR; ++ } + return MWK_OK; + } + diff --git a/debian/patches/series b/debian/patches/series index 1de78b28..0c4f6eab 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,5 @@ 0001-Fix-OpenSSL-library-probe.patch +0002-Suppress-CGI-warnings-from-param-in-list-context.patch +0003-Add-missing-word-in-generic-help-for-remember-checkb.patch +0004-Set-secure-cookie-flag-properly-with-WebAuthSSLRetur.patch +0005-Correctly-honor-WebKdcTokenMaxTTL-for-request-tokens.patch diff --git a/debian/rules b/debian/rules index 78cad4f3..15e4eec1 100755 --- a/debian/rules +++ b/debian/rules @@ -23,14 +23,14 @@ endif PERL_VENDORARCH := $(shell perl -MConfig -e 'print $$Config{vendorarch}') %: - dh $@ --parallel --with apache2,autoreconf + dh $@ --parallel --with apache2 override_dh_autoreconf: dh_autoreconf --as-needed override_dh_auto_configure: - dh_auto_configure --parallel -- --libexecdir=/usr/lib \ - --enable-webkdc --enable-perl --with-apxs=/usr/bin/apxs \ + dh_auto_configure --parallel -- --libexecdir=/usr/lib \ + --enable-webkdc --enable-perl --with-apxs=/usr/bin/apxs \ --enable-reduced-depends override_dh_auto_install: @@ -45,7 +45,7 @@ override_dh_installchangelogs: override_dh_fixperms: dh_fixperms - set -e; if [ -d 'debian/libwebkdc-perl/var/cache/weblogin' ] ; then \ + set -e; if [ -d 'debian/libwebkdc-perl/var/cache/weblogin' ] ; then \ chown www-data:www-data debian/libwebkdc-perl/var/cache/weblogin; \ fi diff --git a/debian/watch b/debian/watch index a93ca1f4..c401a1a8 100644 --- a/debian/watch +++ b/debian/watch @@ -1,3 +1,3 @@ version=3 opts=pgpsigurlmangle=s/$/.asc/ \ - http://webauth.stanford.edu/download.html ^dist/webauth-([^-]+)\.tar\.xz + https://webauth.stanford.edu/download.html ^dist/webauth-([^-]+)\.tar\.xz diff --git a/modules/webauth/mod_webauth.c b/modules/webauth/mod_webauth.c index e938c914..350683cf 100644 --- a/modules/webauth/mod_webauth.c +++ b/modules/webauth/mod_webauth.c @@ -234,6 +234,7 @@ nuke_cookie(MWA_REQ_CTXT *rc, const char *name, int if_set) { char *cookie; const char *path = "/"; + bool is_secure = is_https(rc->r) || rc->dconf->ssl_return; if (if_set && find_cookie(rc, name) == NULL) return; @@ -244,7 +245,7 @@ nuke_cookie(MWA_REQ_CTXT *rc, const char *name, int if_set) "%s=; path=%s; expires=%s;%s", name, path, "Thu, 26-Mar-1998 00:00:01 GMT", - is_https(rc->r) ? "secure" : ""); + is_secure ? "secure" : ""); if (rc->sconf->debug) ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, rc->r->server, "mod_webauth: nuking cookie(%s): (%s)", @@ -305,6 +306,8 @@ static void fixup_setcookie(MWA_REQ_CTXT *rc, const char *name, const char *value, const char *path) { + bool is_secure = is_https(rc->r) || rc->dconf->ssl_return; + if (path == NULL) path = "/"; ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, rc->r->server, @@ -317,7 +320,7 @@ fixup_setcookie(MWA_REQ_CTXT *rc, const char *name, const char *value, name, value, path, - is_https(rc->r) ? "; secure" : "", + is_secure ? "; secure" : "", rc->sconf->httponly ? "; HttpOnly" : ""); } diff --git a/modules/webkdc/mod_webkdc.c b/modules/webkdc/mod_webkdc.c index e570961d..0ecde8fe 100644 --- a/modules/webkdc/mod_webkdc.c +++ b/modules/webkdc/mod_webkdc.c @@ -990,9 +990,11 @@ parse_request_token(MWK_REQ_CTXT *rc, const char *token, /* Copy the token and do some additional checks. */ *rt = &data->token.request; expiration = (*rt)->creation + rc->sconf->token_max_ttl; - if (expiration < time(NULL)) + if (expiration < time(NULL)) { set_errorResponse(rc, WA_PEC_REQUEST_TOKEN_STALE, "request token was stale", mwk_func, false); + return MWK_ERROR; + } return MWK_OK; } diff --git a/perl/lib/WebLogin.pm b/perl/lib/WebLogin.pm index 004459ce..c657b026 100644 --- a/perl/lib/WebLogin.pm +++ b/perl/lib/WebLogin.pm @@ -195,7 +195,7 @@ sub cgiapp_prerun { # Store the CPT if one was already generated, so that we have one place to # check. - $self->param ('CPT', $self->query->param ('CPT')); + $self->param ('CPT', scalar $self->query->param ('CPT')); # Work around a bug in CGI that doesn't always set the script name. $self->query->{'.script_name'} = $ENV{SCRIPT_NAME}; @@ -433,7 +433,7 @@ sub print_headers { # Set the test cookie unless it's already set. unless ($q->cookie ($self->param ('test_cookie'))) { - my $cookie = $q->cookie (-name => $self->param ('test_cookie'), + my $cookie = $q->cookie (-name => scalar $self->param ('test_cookie'), -value => 'True', -secure => $secure, -httponly => 1); @@ -1096,8 +1096,8 @@ sub print_remuser_redirect { $self->template_params ({err_msg => $errmsg}); return $self->print_error_page; } else { - $uri .= "?RT=" . $self->fix_token ($q->param ('RT')) . - ";ST=" . $self->fix_token ($q->param ('ST')); + $uri .= "?RT=" . $self->fix_token (scalar $q->param ('RT')) . + ";ST=" . $self->fix_token (scalar $q->param ('ST')); print STDERR "redirecting to $uri\n" if $self->param ('debug'); return $self->redirect ($uri); } @@ -1627,21 +1627,21 @@ sub setup_kdc_request { my $q = $self->query; # Set up the parameters to the WebKDC request. - $self->{request}->service_token ($self->fix_token ($q->param ('ST'))) + $self->{request}->service_token ($self->fix_token (scalar $q->param ('ST'))) if $q->param ('ST'); - $self->{request}->request_token ($self->fix_token ($q->param ('RT'))) + $self->{request}->request_token ($self->fix_token (scalar $q->param ('RT'))) if $q->param ('RT'); - $self->{request}->pass ($q->param ('password')) + $self->{request}->pass (scalar $q->param ('password')) if $q->param ('password'); - $self->{request}->otp ($q->param ('otp')) + $self->{request}->otp (scalar $q->param ('otp')) if $q->param ('otp'); - $self->{request}->device_id ($q->param ('device_id')) + $self->{request}->device_id (scalar $q->param ('device_id')) if $q->param ('device_id'); - $self->{request}->otp_type ($q->param ('factor_type')) + $self->{request}->otp_type (scalar $q->param ('factor_type')) if $q->param ('factor_type'); - $self->{request}->authz_subject ($q->param ('authz_subject')) + $self->{request}->authz_subject (scalar $q->param ('authz_subject')) if $q->param ('authz_subject'); - $self->{request}->login_state ($q->param ('LS')) + $self->{request}->login_state (scalar $q->param ('LS')) if $q->param ('LS'); # For the initial login page and password change page, we may need to map @@ -1662,7 +1662,7 @@ sub setup_kdc_request { } $q->param ('username', $username); } - $self->{request}->user ($q->param ('username')) if $q->param ('username'); + $self->{request}->user (scalar $q->param ('username')) if $q->param ('username'); # Check for replays or rate limiting of failed authentications for the # initial login page, the multifactor login page, and the multifactor_send diff --git a/weblogin/templates/help.html b/weblogin/templates/help.html index 7847a24a..08eb606f 100644 --- a/weblogin/templates/help.html +++ b/weblogin/templates/help.html @@ -85,12 +85,12 @@ <h2><a name="remember"></a>What if I don't use this machine regularly?</h2> - <p>Uncheck the check box. WebLogin will then set up single sign-on - for this browser session nor (if applicable) store any multifactor - authentication information. Therefore, you will be prompted to log - in the next time you are required to authenticate as though you had - not previously visited a WebAuth-protected site during this web - browser session.</p> + <p>Uncheck the check box. WebLogin will then neither set up single + sign-on for this browser session nor (if applicable) store any + multifactor authentication information. Therefore, you will be + prompted to log in the next time you are required to authenticate as + though you had not previously visited a WebAuth-protected site + during this web browser session.</p> <h2><a name="help"></a>Help! What did I do wrong?</h2> |