From f1e8dec3e749eea3a54553e07b7a1994a4aaf5b9 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub.hrozek@posteo.se>
Date: Fri, 23 Nov 2018 15:38:42 +0100
Subject: [PATCH 1001/1002] Backport security fix: scrub headers on
 OIDCUnAuthAction pass; closes #222

---
 src/mod_auth_openidc.c | 46 ++++++++++++++++++++++++++++--------------
 1 file changed, 31 insertions(+), 15 deletions(-)

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index a494238..f00280f 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -133,6 +133,29 @@ static void oidc_scrub_request_headers(request_rec *r, const char *claim_prefix,
 	r->headers_in = clean_headers;
 }
 
+static void oidc_scrub_headers(request_rec *r) {
+	oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
+			&auth_openidc_module);
+
+	/* get a handle to the directory config */
+	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
+			&auth_openidc_module);
+
+	if (cfg->scrub_request_headers != 0) {
+		/* scrub all headers starting with OIDC_ first */
+		oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX,
+				dir_cfg->authn_header);
+		/*
+		 * then see if the claim headers need to be removed on top of that
+		 * (i.e. the prefix does not start with the default OIDC_)
+		 */
+		if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX)
+				!= cfg->claim_prefix)) {
+			oidc_scrub_request_headers(r, cfg->claim_prefix, NULL);
+		}
+	}
+}
+
 #define OIDC_SHA1_LEN 20
 
 /*
@@ -988,21 +1011,7 @@ static int oidc_handle_existing_session(request_rec *r, oidc_cfg *cfg,
 	 * we're going to pass the information that we have to the application,
 	 * but first we need to scrub the headers that we're going to use for security reasons
 	 */
-	if (cfg->scrub_request_headers != 0) {
-
-		/* scrub all headers starting with OIDC_ first */
-		oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX,
-				dir_cfg->authn_header);
-
-		/*
-		 * then see if the claim headers need to be removed on top of that
-		 * (i.e. the prefix does not start with the default OIDC_)
-		 */
-		if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX)
-				!= cfg->claim_prefix)) {
-			oidc_scrub_request_headers(r, cfg->claim_prefix, NULL);
-		}
-	}
+	oidc_scrub_headers(r);
 
 	/* set the user authentication HTTP header if set and required */
 	if ((r->user != NULL) && (dir_cfg->authn_header != NULL))
@@ -2560,6 +2569,13 @@ static int oidc_check_userid_openidc(request_rec *r, oidc_cfg *c) {
 		case RETURN401:
 			return HTTP_UNAUTHORIZED;
 		case PASS:
+			/*
+			 * we're not going to pass information about
+			 * an authenticated user to the application, *
+			 * but we do need to scrub the headers that
+			 * mod_auth_openidc would set for security reasons
+			 */
+			oidc_scrub_headers(r);
 			return OK;
 		case AUTHENTICATE:
 			/* if this is a Javascript path we won't redirect the user and create a state cookie */
-- 
2.19.2