mod_auth_openidc/SOURCES/0005-CVE-2024-24814.patch

diff -up mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c
--- mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c.orig	2025-04-11 10:49:32.095915197 +0200
+++ mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c	2025-04-11 10:51:12.493949688 +0200
@@ -4258,7 +4258,11 @@ int oidc_content_handler(request_rec *r)
 
 			rc = oidc_discovery(r, c);
 
-		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) {
+		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) {
+
+			rc = OK;
+
+		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) {
 
 			rc = OK;
 
diff -up mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h
--- mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h.orig	2025-04-11 10:49:32.081518446 +0200
+++ mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h	2025-04-11 10:51:12.495521138 +0200
@@ -88,7 +88,8 @@ APLOG_USE_MODULE(auth_openidc);
 #define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
 #define OIDC_REQUEST_STATE_KEY_CLAIMS  "c"
 #define OIDC_REQUEST_STATE_KEY_DISCOVERY  "d"
-#define OIDC_REQUEST_STATE_KEY_AUTHN  "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_POST  "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE  "p"
 
 /* parameter name of the callback URL in the discovery response */
 #define OIDC_DISC_CB_PARAM "oidc_callback"
diff -up mod_auth_openidc-2.4.9.4/src/proto.c.orig mod_auth_openidc-2.4.9.4/src/proto.c
--- mod_auth_openidc-2.4.9.4/src/proto.c.orig	2021-09-03 10:41:21.000000000 +0200
+++ mod_auth_openidc-2.4.9.4/src/proto.c	2025-04-11 10:51:12.495927318 +0200
@@ -591,7 +591,7 @@ static int oidc_proto_add_form_post_para
 /*
  * make the browser POST parameters through Javascript auto-submit
  */
-static int oidc_proto_html_post(request_rec *r, const char *url,
+static void oidc_proto_html_post(request_rec *r, const char *url,
 		apr_table_t *params) {
 
 	oidc_debug(r, "enter");
@@ -607,8 +607,7 @@ static int oidc_proto_html_post(request_
 	html_body = apr_psprintf(r->pool, "%s%s", data.html_body, "      </p>\n"
 			"    </form>\n");
 
-	return oidc_util_html_send(r, "Submitting...", NULL,
-			"document.forms[0].submit", html_body, OK);
+	oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK);
 }
 
 void add_auth_request_params(request_rec *r, apr_table_t *params,
@@ -739,8 +738,12 @@ int oidc_proto_authorization_request(req
 	if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) {
 
 		/* construct a HTML POST auto-submit page with the authorization request parameters */
-		rv = oidc_proto_html_post(r, provider->authorization_endpoint_url,
-				params);
+		oidc_proto_html_post(r, provider->authorization_endpoint_url, params);
+
+		/* signal this to the content handler */
+		oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, "");
+		r->user = "";
+		rv = OK;
 
 	} else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
 
@@ -748,7 +751,6 @@ int oidc_proto_authorization_request(req
 		authorization_request = oidc_util_http_query_encoded_url(r,
 				provider->authorization_endpoint_url, params);
 
-		// TODO: should also enable this when using the POST binding for the auth request
 		/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
 		if (oidc_post_preserve_javascript(r, authorization_request, NULL,
 				NULL) == FALSE) {
@@ -762,7 +764,7 @@ int oidc_proto_authorization_request(req
 		} else {
 
 			/* signal this to the content handler */
-			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, "");
+			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, "");
 			r->user = "";
 			rv = OK;