File apache2-mod_auth_openidc-CVE-2025-31492.patch of Package apache2-mod_auth_openidc.38684
Index: mod_auth_openidc-2.4.0/src/mod_auth_openidc.c
===================================================================
--- mod_auth_openidc-2.4.0.orig/src/mod_auth_openidc.c
+++ mod_auth_openidc-2.4.0/src/mod_auth_openidc.c
@@ -4217,8 +4216,16 @@ int oidc_content_handler(request_rec *r)
return DECLINED;
oidc_cfg *c = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
- return oidc_util_request_matches_url(r, oidc_get_redirect_uri(r, c)) ?
- OK : DECLINED;
+ int rc = DECLINED;
+ if (oidc_util_request_matches_url(r, oidc_get_redirect_uri(r, c))) {
+ rc = OK;
+ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) {
+ rc = OK;
+ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) {
+ rc = OK;
+ }
+
+ return rc;
}
extern const command_rec oidc_config_cmds[];
Index: mod_auth_openidc-2.4.0/src/mod_auth_openidc.h
===================================================================
--- mod_auth_openidc-2.4.0.orig/src/mod_auth_openidc.h
+++ mod_auth_openidc-2.4.0/src/mod_auth_openidc.h
@@ -95,6 +95,8 @@ APLOG_USE_MODULE(auth_openidc);
/* keys for storing info in the request state */
#define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
#define OIDC_REQUEST_STATE_KEY_CLAIMS "c"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_POST "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE "p"
/* parameter name of the callback URL in the discovery response */
#define OIDC_DISC_CB_PARAM "oidc_callback"
Index: mod_auth_openidc-2.4.0/src/proto.c
===================================================================
--- mod_auth_openidc-2.4.0.orig/src/proto.c
+++ mod_auth_openidc-2.4.0/src/proto.c
@@ -597,7 +597,7 @@ static int oidc_proto_add_form_post_para
/*
* make the browser POST parameters through Javascript auto-submit
*/
-static int oidc_proto_html_post(request_rec *r, const char *url,
+static void oidc_proto_html_post(request_rec *r, const char *url,
apr_table_t *params) {
oidc_debug(r, "enter");
@@ -613,7 +613,7 @@ static int oidc_proto_html_post(request_
html_body = apr_psprintf(r->pool, "%s%s", data.html_body, " </p>\n"
" </form>\n");
- return oidc_util_html_send(r, "Submitting...", NULL,
+ oidc_util_html_send(r, "Submitting...", NULL,
"document.forms[0].submit", html_body, OK);
}
@@ -739,16 +739,20 @@ int oidc_proto_authorization_request(req
if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) {
/* construct a HTML POST auto-submit page with the authorization request parameters */
- rv = oidc_proto_html_post(r, provider->authorization_endpoint_url,
+ oidc_proto_html_post(r, provider->authorization_endpoint_url,
params);
+ /* signal this to the content handler */
+ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, "");
+ r->user = "";
+ rv = OK;
+
} else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
/* construct the full authorization request URL */
authorization_request = oidc_util_http_query_encoded_url(r,
provider->authorization_endpoint_url, params);
- // TODO: should also enable this when using the POST binding for the auth request
/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
if (oidc_post_preserve_javascript(r, authorization_request, NULL,
NULL) == FALSE) {
@@ -758,6 +762,11 @@ int oidc_proto_authorization_request(req
/* and tell Apache to return an HTTP Redirect (302) message */
rv = HTTP_MOVED_TEMPORARILY;
+ } else {
+ /* signal this to the content handler */
+ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, "");
+ r->user = "";
+ rv = OK;
}
} else {
oidc_error(r, "provider->auth_request_method set to wrong value: %d",
