From d3973074a984f78af2267006625a11e672574dff Mon Sep 17 00:00:00 2001 From: Hans Zandbelt Date: Thu, 19 Jan 2017 00:03:37 +0100 Subject: [PATCH 1000/1002] don't echo query params on invalid requests to redirect URI; closes #212 thanks @LukasReschke; I'm sure there's some OWASP guideline that warns against this (cherry picked from commit 612e309bfffd6f9b8ad7cdccda3019fc0865f3b4) --- src/mod_auth_openidc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c index 2db6108..a494238 100644 --- a/src/mod_auth_openidc.c +++ b/src/mod_auth_openidc.c @@ -2493,8 +2493,8 @@ int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c, /* something went wrong */ return oidc_util_html_send_error(r, c->error_template, "Invalid Request", apr_psprintf(r->pool, - "The OpenID Connect callback URL received an invalid request: %s", - r->args), HTTP_INTERNAL_SERVER_ERROR); + "The OpenID Connect callback URL received an invalid request"), + HTTP_INTERNAL_SERVER_ERROR); } /* -- 2.19.2