42 lines
1.4 KiB
Diff
42 lines
1.4 KiB
Diff
From dad95a3ca050910d44ff346edead722e341417ef Mon Sep 17 00:00:00 2001
|
|
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
|
|
Date: Fri, 25 Jun 2021 11:42:57 +0200
|
|
Subject: [PATCH 2/3] avoid XSS vulnerability when using OIDCPreservePost On
|
|
|
|
and supplying URLs that contain single quotes; thanks @oss-aimoto
|
|
|
|
Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
|
|
---
|
|
ChangeLog | 4 ++++
|
|
src/mod_auth_openidc.c | 2 +-
|
|
2 files changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/ChangeLog b/ChangeLog
|
|
index b4ab0a1..7054f0b 100644
|
|
--- a/ChangeLog
|
|
+++ b/ChangeLog
|
|
@@ -1,3 +1,7 @@
|
|
+06/25/2021
|
|
+- avoid XSS vulnerability when using OIDCPreservePost On and supplying URLs that contain single quotes
|
|
+ thanks @oss-aimoto
|
|
+
|
|
06/10/2021
|
|
- use encrypted JWTs for storing encrypted cache contents and avoid using static AAD/IV; thanks @niebardzo
|
|
- bump to 2.4.9-dev
|
|
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
|
|
index 4cc7976..ea84e5e 100644
|
|
--- a/src/mod_auth_openidc.c
|
|
+++ b/src/mod_auth_openidc.c
|
|
@@ -519,7 +519,7 @@ static int oidc_request_post_preserved_restore(request_rec *r,
|
|
" input.type = \"hidden\";\n"
|
|
" document.forms[0].appendChild(input);\n"
|
|
" }\n"
|
|
- " document.forms[0].action = '%s';\n"
|
|
+ " document.forms[0].action = \"%s\";\n"
|
|
" document.forms[0].submit();\n"
|
|
" }\n"
|
|
" </script>\n", method, original_url);
|
|
--
|
|
2.27.0
|
|
|