Overview

File apache2-mod_auth_openidc-CVE-2025-31492.patch of Package apache2-mod_auth_openidc.38316

Index: mod_auth_openidc-2.3.8/src/mod_auth_openidc.c
===================================================================
--- mod_auth_openidc-2.3.8.orig/src/mod_auth_openidc.c
+++ mod_auth_openidc-2.3.8/src/mod_auth_openidc.c
@@ -3773,6 +3773,12 @@ int oidc_content_handler(request_rec *r)
 
 		}
 
+	} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) {
+		/* sending POST authentication request */
+		rc = OK;
+	} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) {
+		/* sending POST preserve request */
+		rc = OK;
 	}
 	return rc;
 }
Index: mod_auth_openidc-2.3.8/src/mod_auth_openidc.h
===================================================================
--- mod_auth_openidc-2.3.8.orig/src/mod_auth_openidc.h
+++ mod_auth_openidc-2.3.8/src/mod_auth_openidc.h
@@ -93,6 +93,8 @@ APLOG_USE_MODULE(auth_openidc);
 /* keys for storing info in the request state */
 #define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
 #define OIDC_REQUEST_STATE_KEY_CLAIMS  "c"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_POST "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE "p"
 
 /* parameter name of the callback URL in the discovery response */
 #define OIDC_DISC_CB_PARAM "oidc_callback"
Index: mod_auth_openidc-2.3.8/src/proto.c
===================================================================
--- mod_auth_openidc-2.3.8.orig/src/proto.c
+++ mod_auth_openidc-2.3.8/src/proto.c
@@ -525,7 +525,7 @@ static int oidc_proto_add_form_post_para
 /*
  * make the browser POST parameters through Javascript auto-submit
  */
-static int oidc_proto_html_post(request_rec *r, const char *url,
+static void oidc_proto_html_post(request_rec *r, const char *url,
 		apr_table_t *params) {
 
 	oidc_debug(r, "enter");
@@ -541,7 +541,7 @@ static int oidc_proto_html_post(request_
 	html_body = apr_psprintf(r->pool, "%s%s", data.html_body, "      </p>\n"
 			"    </form>\n");
 
-	return oidc_util_html_send(r, "Submitting...", NULL,
+	oidc_util_html_send(r, "Submitting...", NULL,
 			"document.forms[0].submit()", html_body, DONE);
 }
 
@@ -646,16 +646,20 @@ int oidc_proto_authorization_request(req
 	if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) {
 
 		/* construct a HTML POST auto-submit page with the authorization request parameters */
-		rv = oidc_proto_html_post(r, provider->authorization_endpoint_url,
+		oidc_proto_html_post(r, provider->authorization_endpoint_url,
 				params);
 
+		/* signal this to the content handler */
+		oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, "");
+                r->user = "";
+                rv = OK;
+
 	} else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
 
 		/* construct the full authorization request URL */
 		authorization_request = oidc_util_http_query_encoded_url(r,
 				provider->authorization_endpoint_url, params);
 
-		// TODO: should also enable this when using the POST binding for the auth request
 		/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
 		if (oidc_post_preserve_javascript(r, authorization_request, NULL,
 				NULL) == FALSE) {
@@ -665,6 +669,11 @@ int oidc_proto_authorization_request(req
 
 			/* and tell Apache to return an HTTP Redirect (302) message */
 			rv = HTTP_MOVED_TEMPORARILY;
+		} else {
+			/* signal this to the content handler */
+			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, "");
+			r->user = "";
+			rv = OK;
 		}
 	} else {
 		oidc_error(r, "provider->auth_request_method set to wrong value: %d",
openSUSE Build Service is sponsored by
Places