|
 |
a0f8fc |
From 6358a5169762ef7b89d8b6d0f1a99b006f0fdd2f Mon Sep 17 00:00:00 2001
|
|
|
a0f8fc |
From: Olav Morken <olav.morken@uninett.no>
|
|
|
a0f8fc |
Date: Wed, 25 Jul 2018 12:19:39 +0200
|
|
|
a0f8fc |
Subject: [PATCH] Fix incorrect header used for detecting AJAX requests
|
|
|
a0f8fc |
|
|
|
a0f8fc |
The code was looking for "X-Request-With", but the header is actually
|
|
|
a0f8fc |
"X-Requested-With". As far as I can tell, it has always been the
|
|
|
a0f8fc |
latter, at least in the jQuery source code.
|
|
|
a0f8fc |
|
|
|
a0f8fc |
Fixes issue #174.
|
|
|
a0f8fc |
---
|
|
|
a0f8fc |
README.md | 2 +-
|
|
|
a0f8fc |
auth_mellon_handler.c | 4 ++--
|
|
|
a0f8fc |
2 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
a0f8fc |
|
|
|
a0f8fc |
diff --git a/README.md b/README.md
|
|
|
a0f8fc |
index 0a91dc5..8d85b43 100644
|
|
|
a0f8fc |
--- a/README.md
|
|
|
a0f8fc |
+++ b/README.md
|
|
|
a0f8fc |
@@ -180,7 +180,7 @@ MellonDiagnosticsEnable Off
|
|
|
a0f8fc |
# then we will redirect him to the login page of the IdP.
|
|
|
a0f8fc |
#
|
|
|
a0f8fc |
# There is a special handling of AJAX requests, that are
|
|
|
a0f8fc |
- # identified by the "X-Request-With: XMLHttpRequest" HTTP
|
|
|
a0f8fc |
+ # identified by the "X-Requested-With: XMLHttpRequest" HTTP
|
|
|
a0f8fc |
# header. Since no user interaction can happen there,
|
|
|
a0f8fc |
# we always fail unauthenticated (not logged in) requests
|
|
|
a0f8fc |
# with a 403 Forbidden error without redirecting to the IdP.
|
|
|
a0f8fc |
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
|
|
|
a0f8fc |
index b16dc45..e33e6e9 100644
|
|
|
a0f8fc |
--- a/auth_mellon_handler.c
|
|
|
a0f8fc |
+++ b/auth_mellon_handler.c
|
|
|
a0f8fc |
@@ -3658,11 +3658,11 @@ int am_auth_mellon_user(request_rec *r)
|
|
|
a0f8fc |
* If this is an AJAX request, we cannot proceed to the IdP,
|
|
|
a0f8fc |
* Just fail early to save our resources
|
|
|
a0f8fc |
*/
|
|
|
a0f8fc |
- ajax_header = apr_table_get(r->headers_in, "X-Request-With");
|
|
|
a0f8fc |
+ ajax_header = apr_table_get(r->headers_in, "X-Requested-With");
|
|
|
a0f8fc |
if (ajax_header != NULL &&
|
|
|
a0f8fc |
strcmp(ajax_header, "XMLHttpRequest") == 0) {
|
|
|
a0f8fc |
AM_LOG_RERROR(APLOG_MARK, APLOG_INFO, 0, r,
|
|
|
a0f8fc |
- "Deny unauthenticated X-Request-With XMLHttpRequest "
|
|
|
a0f8fc |
+ "Deny unauthenticated X-Requested-With XMLHttpRequest "
|
|
|
a0f8fc |
"(AJAX) request");
|
|
|
a0f8fc |
return HTTP_FORBIDDEN;
|
|
|
a0f8fc |
}
|
|
|
a0f8fc |
--
|
|
|
a0f8fc |
2.20.1
|
|
|
a0f8fc |
|