Blob Blame History Raw
From d3973074a984f78af2267006625a11e672574dff Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hzandbelt@pingidentity.com>
Date: Thu, 19 Jan 2017 00:03:37 +0100
Subject: [PATCH 1000/1002] don't echo query params on invalid requests to
 redirect URI; closes #212

thanks @LukasReschke; I'm sure there's some OWASP guideline that warns
against this

(cherry picked from commit 612e309bfffd6f9b8ad7cdccda3019fc0865f3b4)
---
 src/mod_auth_openidc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index 2db6108..a494238 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -2493,8 +2493,8 @@ int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c,
 	/* something went wrong */
 	return oidc_util_html_send_error(r, c->error_template, "Invalid Request",
 			apr_psprintf(r->pool,
-					"The OpenID Connect callback URL received an invalid request: %s",
-					r->args), HTTP_INTERNAL_SERVER_ERROR);
+					"The OpenID Connect callback URL received an invalid request"),
+					HTTP_INTERNAL_SERVER_ERROR);
 }
 
 /*
-- 
2.19.2