From 466f470265554e0e3ae27a6d82375456d2c133e6 Mon Sep 17 00:00:00 2001

From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>

Date: Thu, 22 Jul 2021 15:32:12 +0200

Subject: [PATCH 3/4] replace potentially harmful backslashes with forward

 slashes when validating redirection URLs

(cherry picked from commit 69cb206225c749b51db980d44dc268eee5623f2b)

---

 src/mod_auth_openidc.c | 12 +++++++++++-

 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c

index 68fbca5..c96af75 100644

--- a/src/mod_auth_openidc.c

+++ b/src/mod_auth_openidc.c

@@ -2687,12 +2687,22 @@ static int oidc_handle_logout_request(request_rec *r, oidc_cfg *c,

 	return HTTP_MOVED_TEMPORARILY;

 }

+

+#define OIDC_MAX_URL_LENGTH DEFAULT_LIMIT_REQUEST_LINE * 2

+

 static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,

-		const char *url, apr_byte_t restrict_to_host, char **err_str,

+		const char *redirect_to_url, apr_byte_t restrict_to_host, char **err_str,

 		char **err_desc) {

 	apr_uri_t uri;

 	const char *c_host = NULL;

 	apr_hash_index_t *hi = NULL;

+	size_t i = 0;

+	char *url = apr_pstrndup(r->pool, redirect_to_url, OIDC_MAX_URL_LENGTH);

+

+	// replace potentially harmful backslashes with forward slashes

+	for (i = 0; i < strlen(url); i++)

+		if (url[i] == '\\')

+			url[i] = '/';

 	if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {

 		*err_str = apr_pstrdup(r->pool, "Malformed URL");

-- 

2.31.1