1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
From: Moritz Schlarb <schlarbm@uni-mainz.de>
Date: Wed, 16 Apr 2025 10:53:13 +0200
Subject: Fix CVE-2025-31492 "protected content leakage when using
OIDCProviderAuthRequestMethod POST"
Backported applicable portions from upstream fix in
https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127
---
src/mod_auth_openidc.c | 6 +++++-
src/mod_auth_openidc.h | 3 ++-
src/proto.c | 14 +++++++++-----
3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index 63fa99f..9f19b63 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -4387,7 +4387,11 @@ int oidc_content_handler(request_rec *r) {
rc = oidc_discovery(r, c);
- } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) {
+ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) {
+
+ rc = OK;
+
+ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) {
rc = OK;
diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
index a67bbfb..7c23c94 100644
--- a/src/mod_auth_openidc.h
+++ b/src/mod_auth_openidc.h
@@ -109,7 +109,8 @@ APLOG_USE_MODULE(auth_openidc);
#define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
#define OIDC_REQUEST_STATE_KEY_CLAIMS "c"
#define OIDC_REQUEST_STATE_KEY_DISCOVERY "d"
-#define OIDC_REQUEST_STATE_KEY_AUTHN "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_POST "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE "p"
#define OIDC_REQUEST_STATE_KEY_SAVE "s"
/* parameter name of the callback URL in the discovery response */
diff --git a/src/proto.c b/src/proto.c
index 470ec7d..afb8ad8 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -585,7 +585,7 @@ static int oidc_proto_add_form_post_param(void *rec, const char *key,
/*
* make the browser POST parameters through Javascript auto-submit
*/
-static int oidc_proto_html_post(request_rec *r, const char *url,
+static void oidc_proto_html_post(request_rec *r, const char *url,
apr_table_t *params) {
oidc_debug(r, "enter");
@@ -601,7 +601,7 @@ static int oidc_proto_html_post(request_rec *r, const char *url,
html_body = apr_psprintf(r->pool, "%s%s", data.html_body, " </p>\n"
" </form>\n");
- return oidc_util_html_send(r, "Submitting...", NULL,
+ oidc_util_html_send(r, "Submitting...", NULL,
"document.forms[0].submit", html_body, OK);
}
@@ -733,8 +733,12 @@ int oidc_proto_authorization_request(request_rec *r,
if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) {
/* construct a HTML POST auto-submit page with the authorization request parameters */
- rv = oidc_proto_html_post(r, provider->authorization_endpoint_url,
- params);
+ oidc_proto_html_post(r, provider->authorization_endpoint_url, params);
+
+ /* signal this to the content handler */
+ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, "");
+ r->user = "";
+ rv = OK;
} else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
@@ -756,7 +760,7 @@ int oidc_proto_authorization_request(request_rec *r,
} else {
/* signal this to the content handler */
- oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, "");
+ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, "");
r->user = "";
rv = OK;
|
