|
|
06debe |
From dad95a3ca050910d44ff346edead722e341417ef Mon Sep 17 00:00:00 2001
|
|
|
06debe |
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
|
|
|
06debe |
Date: Fri, 25 Jun 2021 11:42:57 +0200
|
|
|
06debe |
Subject: [PATCH 2/3] avoid XSS vulnerability when using OIDCPreservePost On
|
|
|
06debe |
|
|
|
06debe |
and supplying URLs that contain single quotes; thanks @oss-aimoto
|
|
|
06debe |
|
|
|
06debe |
Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
|
|
|
06debe |
---
|
|
|
06debe |
ChangeLog | 4 ++++
|
|
|
06debe |
src/mod_auth_openidc.c | 2 +-
|
|
|
06debe |
2 files changed, 5 insertions(+), 1 deletion(-)
|
|
|
06debe |
|
|
|
06debe |
diff --git a/ChangeLog b/ChangeLog
|
|
|
06debe |
index b4ab0a1..7054f0b 100644
|
|
|
06debe |
--- a/ChangeLog
|
|
|
06debe |
+++ b/ChangeLog
|
|
|
06debe |
@@ -1,3 +1,7 @@
|
|
|
06debe |
+06/25/2021
|
|
|
06debe |
+- avoid XSS vulnerability when using OIDCPreservePost On and supplying URLs that contain single quotes
|
|
|
06debe |
+ thanks @oss-aimoto
|
|
|
06debe |
+
|
|
|
06debe |
06/10/2021
|
|
|
06debe |
- use encrypted JWTs for storing encrypted cache contents and avoid using static AAD/IV; thanks @niebardzo
|
|
|
06debe |
- bump to 2.4.9-dev
|
|
|
06debe |
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
|
|
|
06debe |
index 4cc7976..ea84e5e 100644
|
|
|
06debe |
--- a/src/mod_auth_openidc.c
|
|
|
06debe |
+++ b/src/mod_auth_openidc.c
|
|
|
06debe |
@@ -519,7 +519,7 @@ static int oidc_request_post_preserved_restore(request_rec *r,
|
|
|
06debe |
" input.type = \"hidden\";\n"
|
|
|
06debe |
" document.forms[0].appendChild(input);\n"
|
|
|
06debe |
" }\n"
|
|
|
06debe |
- " document.forms[0].action = '%s';\n"
|
|
|
06debe |
+ " document.forms[0].action = \"%s\";\n"
|
|
|
06debe |
" document.forms[0].submit();\n"
|
|
|
06debe |
" }\n"
|
|
|
06debe |
" </script>\n", method, original_url);
|
|
|
06debe |
--
|
|
|
06debe |
2.27.0
|
|
|
06debe |
|