From: Moritz Schlarb Date: Wed, 16 Apr 2025 10:53:13 +0200 Subject: Fix CVE-2025-31492 "protected content leakage when using OIDCProviderAuthRequestMethod POST" Backported applicable portions from upstream fix in https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127 --- src/mod_auth_openidc.c | 6 +++++- src/mod_auth_openidc.h | 3 ++- src/proto.c | 14 +++++++++----- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c index 63fa99f..9f19b63 100644 --- a/src/mod_auth_openidc.c +++ b/src/mod_auth_openidc.c @@ -4387,7 +4387,11 @@ int oidc_content_handler(request_rec *r) { rc = oidc_discovery(r, c); - } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) { + } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) { + + rc = OK; + + } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) { rc = OK; diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h index a67bbfb..7c23c94 100644 --- a/src/mod_auth_openidc.h +++ b/src/mod_auth_openidc.h @@ -109,7 +109,8 @@ APLOG_USE_MODULE(auth_openidc); #define OIDC_REQUEST_STATE_KEY_IDTOKEN "i" #define OIDC_REQUEST_STATE_KEY_CLAIMS "c" #define OIDC_REQUEST_STATE_KEY_DISCOVERY "d" -#define OIDC_REQUEST_STATE_KEY_AUTHN "a" +#define OIDC_REQUEST_STATE_KEY_AUTHN_POST "a" +#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE "p" #define OIDC_REQUEST_STATE_KEY_SAVE "s" /* parameter name of the callback URL in the discovery response */ diff --git a/src/proto.c b/src/proto.c index 470ec7d..afb8ad8 100644 --- a/src/proto.c +++ b/src/proto.c @@ -585,7 +585,7 @@ static int oidc_proto_add_form_post_param(void *rec, const char *key, /* * make the browser POST parameters through Javascript auto-submit */ -static int oidc_proto_html_post(request_rec *r, const char *url, +static void oidc_proto_html_post(request_rec *r, const char *url, apr_table_t *params) { oidc_debug(r, "enter"); @@ -601,7 +601,7 @@ static int oidc_proto_html_post(request_rec *r, const char *url, html_body = apr_psprintf(r->pool, "%s%s", data.html_body, "

\n" " \n"); - return oidc_util_html_send(r, "Submitting...", NULL, + oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK); } @@ -733,8 +733,12 @@ int oidc_proto_authorization_request(request_rec *r, if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) { /* construct a HTML POST auto-submit page with the authorization request parameters */ - rv = oidc_proto_html_post(r, provider->authorization_endpoint_url, - params); + oidc_proto_html_post(r, provider->authorization_endpoint_url, params); + + /* signal this to the content handler */ + oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, ""); + r->user = ""; + rv = OK; } else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) { @@ -756,7 +760,7 @@ int oidc_proto_authorization_request(request_rec *r, } else { /* signal this to the content handler */ - oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, ""); + oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, ""); r->user = ""; rv = OK;