From c0e1739e16db9d9381df878a2d39f23c43992e5d Mon Sep 17 00:00:00 2001 From: Packit Date: Sep 23 2020 16:41:04 +0000 Subject: Apply patch 0005-CVE_2019_13038.patch patch_name: 0005-CVE_2019_13038.patch present_in_specfile: true --- diff --git a/auth_mellon_util.c b/auth_mellon_util.c index 6fd83a7..7e98070 100644 --- a/auth_mellon_util.c +++ b/auth_mellon_util.c @@ -116,6 +116,10 @@ int am_validate_redirect_url(request_rec *r, const char *url) /* Sanity check of the scheme of the domain. We only allow http and https. */ if (uri.scheme) { + /* http and https schemes without hostname are invalid. */ + if (!uri.hostname) { + return HTTP_BAD_REQUEST; + } if (strcasecmp(uri.scheme, "http") && strcasecmp(uri.scheme, "https")) { AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r,