From 3f61e7b718fb22a81400f8890b04454f15f78bd4 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Tue, 13 May 2025 15:06:43 +0000
Subject: [PATCH] import UBI mod_auth_openidc-2.4.10-1.el9_6.1

---
 SOURCES/0005-CVE-2024-24814.patch | 83 +++++++++++++++++++++++++++++++
 SPECS/mod_auth_openidc.spec       |  7 ++-
 2 files changed, 89 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0005-CVE-2024-24814.patch

diff --git a/SOURCES/0005-CVE-2024-24814.patch b/SOURCES/0005-CVE-2024-24814.patch
new file mode 100644
index 0000000..3ab9eb6
--- /dev/null
+++ b/SOURCES/0005-CVE-2024-24814.patch
@@ -0,0 +1,83 @@
+diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.c
+--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig	2025-04-09 13:28:07.727364016 +0200
++++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.c	2025-04-10 17:35:35.078190167 +0200
+@@ -4284,7 +4284,11 @@ int oidc_content_handler(request_rec *r)
+ 
+ 			rc = oidc_discovery(r, c);
+ 
+-		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) {
++		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) {
++
++			rc = OK;
++
++		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) {
+ 
+ 			rc = OK;
+ 
+diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.h
+--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.h.orig	2025-04-09 15:59:53.319640594 +0200
++++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.h	2025-04-09 16:06:36.736950353 +0200
+@@ -105,7 +105,8 @@ APLOG_USE_MODULE(auth_openidc);
+ #define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
+ #define OIDC_REQUEST_STATE_KEY_CLAIMS  "c"
+ #define OIDC_REQUEST_STATE_KEY_DISCOVERY  "d"
+-#define OIDC_REQUEST_STATE_KEY_AUTHN  "a"
++#define OIDC_REQUEST_STATE_KEY_AUTHN_POST  "a"
++#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE  "p"
+ 
+ /* parameter name of the callback URL in the discovery response */
+ #define OIDC_DISC_CB_PARAM "oidc_callback"
+diff -up mod_auth_openidc-2.4.10/src/proto.c.orig mod_auth_openidc-2.4.10/src/proto.c
+--- mod_auth_openidc-2.4.10/src/proto.c.orig	2021-11-05 11:55:03.000000000 +0100
++++ mod_auth_openidc-2.4.10/src/proto.c	2025-04-10 17:54:42.459819654 +0200
+@@ -585,7 +585,7 @@ static int oidc_proto_add_form_post_para
+ /*
+  * make the browser POST parameters through Javascript auto-submit
+  */
+-static int oidc_proto_html_post(request_rec *r, const char *url,
++static void oidc_proto_html_post(request_rec *r, const char *url,
+ 		apr_table_t *params) {
+ 
+ 	oidc_debug(r, "enter");
+@@ -601,8 +601,7 @@ static int oidc_proto_html_post(request_
+ 	html_body = apr_psprintf(r->pool, "%s%s", data.html_body, "      </p>\n"
+ 			"    </form>\n");
+ 
+-	return oidc_util_html_send(r, "Submitting...", NULL,
+-			"document.forms[0].submit", html_body, OK);
++	oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK);
+ }
+ 
+ void add_auth_request_params(request_rec *r, apr_table_t *params,
+@@ -733,8 +732,12 @@ int oidc_proto_authorization_request(req
+ 	if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) {
+ 
+ 		/* construct a HTML POST auto-submit page with the authorization request parameters */
+-		rv = oidc_proto_html_post(r, provider->authorization_endpoint_url,
+-				params);
++		oidc_proto_html_post(r, provider->authorization_endpoint_url, params);
++
++		/* signal this to the content handler */
++		oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, "");
++		r->user = "";
++		rv = OK;
+ 
+ 	} else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
+ 
+@@ -742,7 +745,6 @@ int oidc_proto_authorization_request(req
+ 		authorization_request = oidc_util_http_query_encoded_url(r,
+ 				provider->authorization_endpoint_url, params);
+ 
+-		// TODO: should also enable this when using the POST binding for the auth request
+ 		/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
+ 		if (oidc_post_preserve_javascript(r, authorization_request, NULL,
+ 				NULL) == FALSE) {
+@@ -756,7 +758,7 @@ int oidc_proto_authorization_request(req
+ 		} else {
+ 
+ 			/* signal this to the content handler */
+-			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, "");
++			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, "");
+ 			r->user = "";
+ 			rv = OK;
+ 
diff --git a/SPECS/mod_auth_openidc.spec b/SPECS/mod_auth_openidc.spec
index 0b743bf..e82f70e 100644
--- a/SPECS/mod_auth_openidc.spec
+++ b/SPECS/mod_auth_openidc.spec
@@ -15,7 +15,7 @@
 
 Name:		mod_auth_openidc
 Version:	2.4.10
-Release:	1%{?dist}
+Release:	1%{?dist}.1
 Summary:	OpenID Connect auth module for Apache HTTP Server
 
 License:	ASL 2.0
@@ -26,6 +26,7 @@ Patch1:		0001-CVE-2022-23527.patch
 Patch2:		0002-CVE-2023-28625.patch
 Patch3:		0003-CVE-2024-24814.patch
 Patch4:		0004-race-condition.patch
+Patch5:		0005-CVE-2024-24814.patch
 
 BuildRequires:  gcc
 BuildRequires:	httpd-devel
@@ -99,6 +100,10 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache
 
 %changelog
+* Fri Apr 11 2025 Tomas Halman <thalman@redhat.com> - 2.4.10-1%{?dist}.1
+  Resolves: RHEL-86224 - mod_auth_openidc allows OIDCProviderAuthRequestMethod
+            POSTs to leak protected data (CVE-2025-31492)
+
 * Fri Apr 12 2024 Tomas Halman <thalman@redhat.com> - 2.4.10-1
   Rebase to 2.4.10 version improves `state cookies piling up` problem
   Resolves: RHEL-32450 Race condition in mod_auth_openidc filecache