From d3973074a984f78af2267006625a11e672574dff Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hzandbelt@pingidentity.com>
Date: Thu, 19 Jan 2017 00:03:37 +0100
Subject: [PATCH 1000/1002] don't echo query params on invalid requests to
redirect URI; closes #212
thanks @LukasReschke; I'm sure there's some OWASP guideline that warns
against this
(cherry picked from commit 612e309bfffd6f9b8ad7cdccda3019fc0865f3b4)
---
src/mod_auth_openidc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index 2db6108..a494238 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -2493,8 +2493,8 @@ int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c,
/* something went wrong */
return oidc_util_html_send_error(r, c->error_template, "Invalid Request",
apr_psprintf(r->pool,
- "The OpenID Connect callback URL received an invalid request: %s",
- r->args), HTTP_INTERNAL_SERVER_ERROR);
+ "The OpenID Connect callback URL received an invalid request"),
+ HTTP_INTERNAL_SERVER_ERROR);
}
/*
--
2.19.2