CVS commit: pkgsrc/www/ap2-auth-mellon

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/ap2-auth-mellon
From: "Emmanuel Dreyfus" <manu%netbsd.org@localhost>
Date: Tue, 18 Oct 2016 15:13:41 +0000

Module Name:    pkgsrc
Committed By:   manu
Date:           Tue Oct 18 15:13:41 UTC 2016

Modified Files:
        pkgsrc/www/ap2-auth-mellon: Makefile distinfo
Added Files:
        pkgsrc/www/ap2-auth-mellon/patches: patch-0347

Log Message:
Do not redirect unauthenticated AJAX request to the IdP

When MellonEnable is "auth" and we get an unauthenticated AJAX
request (identified by the X-Request-With: XMLHttpRequest HTTP
header), fail with HTTP code 403 Forbidden instead of redirecting
to the IdP. This saves resources, as the client has no opportunity
to interract with the user to complete authentification.


To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.36 pkgsrc/www/ap2-auth-mellon/Makefile
cvs rdiff -u -r1.15 -r1.16 pkgsrc/www/ap2-auth-mellon/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/www/ap2-auth-mellon/patches/patch-0347

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/ap2-auth-mellon/Makefile
diff -u pkgsrc/www/ap2-auth-mellon/Makefile:1.35 pkgsrc/www/ap2-auth-mellon/Makefile:1.36
--- pkgsrc/www/ap2-auth-mellon/Makefile:1.35    Fri Oct  7 18:26:12 2016
+++ pkgsrc/www/ap2-auth-mellon/Makefile Tue Oct 18 15:13:41 2016
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.35 2016/10/07 18:26:12 adam Exp $
+# $NetBSD: Makefile,v 1.36 2016/10/18 15:13:41 manu Exp $
 #
 
 DISTNAME=      mod_auth_mellon-0.12.0  
 PKGNAME=       ${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/g}
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    www security
 MASTER_SITES=  https://github.com/UNINETT/mod_auth_mellon/releases/download/v${DISTNAME:C/.*-//}/
 

Index: pkgsrc/www/ap2-auth-mellon/distinfo
diff -u pkgsrc/www/ap2-auth-mellon/distinfo:1.15 pkgsrc/www/ap2-auth-mellon/distinfo:1.16
--- pkgsrc/www/ap2-auth-mellon/distinfo:1.15    Mon Mar 14 09:58:57 2016
+++ pkgsrc/www/ap2-auth-mellon/distinfo Tue Oct 18 15:13:41 2016
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.15 2016/03/14 09:58:57 manu Exp $
+$NetBSD: distinfo,v 1.16 2016/10/18 15:13:41 manu Exp $
 
 SHA1 (mod_auth_mellon-0.12.0.tar.gz) = 3d5cd4137154a7c848d8f3121e6497b88dc5f23e
 RMD160 (mod_auth_mellon-0.12.0.tar.gz) = 7ef278de6f4d0f0669d99c113706dc63d64f6fbc
 Size (mod_auth_mellon-0.12.0.tar.gz) = 136754 bytes
 SHA1 (patch-0274) = e523b560f8220352090db686a32a5f81f6579fda
+SHA1 (patch-0347) = d14d5a20d05fae3962e5168a0b23ab55835452ca

Added files:

Index: pkgsrc/www/ap2-auth-mellon/patches/patch-0347
diff -u /dev/null pkgsrc/www/ap2-auth-mellon/patches/patch-0347:1.1
--- /dev/null   Tue Oct 18 15:13:41 2016
+++ pkgsrc/www/ap2-auth-mellon/patches/patch-0347       Tue Oct 18 15:13:41 2016
@@ -0,0 +1,67 @@
+From 78fe67641918016a6108e325be351156999109c9 Mon Sep 17 00:00:00 2001
+From: Emmanuel Dreyfus <manu%netbsd.org@localhost>
+Date: Tue, 18 Oct 2016 01:42:53 +0200
+Subject: [PATCH] Do not redirect unauthenticated AJAX request to the IdP
+
+When MellonEnable is "auth" and we get an unauthenticated AJAX
+request (identified by the X-Request-With: XMLHttpRequest HTTP
+header), fail with HTTP code 403 Forbidden instead of redirecting
+to the IdP. This saves resources, as the client has no opportunity
+to interract with the user to complete authentification.
+---
+ README                |  6 ++++++
+ auth_mellon_handler.c | 14 ++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git README README
+index ec323ab..5960cc8 100644
+--- README
++++ README
+@@ -166,6 +166,12 @@ MellonPostCount 100
+         #           return a 403 Forbidden error. If he isn't authenticated
+         #           then we will redirect him to the login page of the IdP.
+         #
++        #           There is a special handling of AJAX requests, that are
++        #           identified by the "X-Request-With: XMLHttpRequest" HTTP
++        #           header. Since no user interaction can happen there,
++        #           we always fail unauthenticated (not logged in) requests
++        #           with a 403 Forbidden error without redirecting to the IdP.
++        #
+         # Default: MellonEnable "off"
+         MellonEnable "auth"
+ 
+diff --git auth_mellon_handler.c auth_mellon_handler.c
+index 0457189..a55828a 100644
+--- auth_mellon_handler.c
++++ auth_mellon_handler.c
+@@ -3491,6 +3491,7 @@ int am_auth_mellon_user(request_rec *r)
+     am_dir_cfg_rec *dir = am_get_dir_cfg(r);
+     int return_code = HTTP_UNAUTHORIZED;
+     am_cache_entry_t *session;
++    const char *ajax_header;
+ 
+     if (r->main) {
+         /* We are a subrequest. Trust the main request to have
+@@ -3534,6 +3535,19 @@ int am_auth_mellon_user(request_rec *r)
+                 am_release_request_session(r, session);
+             }
+ 
++            /*
++             * If this is an AJAX request, we cannot proceed to the IdP,
++             * Just fail early to save our resources
++             */
++            ajax_header = apr_table_get(r->headers_in, "X-Request-With");
++            if (ajax_header != NULL &&
++                strcmp(ajax_header, "XMLHttpRequest") == 0) {
++                    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
++                      "Deny unauthenticated X-Request-With XMLHttpRequest "
++                      "(AJAX) request");
++                    return HTTP_FORBIDDEN;
++            }
++
+ #ifdef HAVE_ECP
+             /*
+              * If PAOS set a flag on the request indicating we're
+-- 
+2.3.2
+

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/www/ruby-em-http-request
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/www/ruby-em-http-request
Indexes:

Home | Main Index | Thread Index | Old Index