File fix-CVE-2021-32792-2.patch of Package apache2-mod_auth_openidc.28532
From 00c315cb0c8ab77c67be4a2ac08a71a83ac58751 Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Fri, 25 Jun 2021 11:42:57 +0200
Subject: [PATCH] avoid XSS vulnerability when using OIDCPreservePost On
and supplying URLs that contain single quotes; thanks @oss-aimoto
Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
---
ChangeLog | 4 ++++
src/mod_auth_openidc.c | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
Index: mod_auth_openidc-2.3.8/src/mod_auth_openidc.c
===================================================================
--- mod_auth_openidc-2.3.8.orig/src/mod_auth_openidc.c
+++ mod_auth_openidc-2.3.8/src/mod_auth_openidc.c
@@ -514,7 +514,7 @@ static int oidc_request_post_preserved_r
" input.type = \"hidden\";\n"
" document.forms[0].appendChild(input);\n"
" }\n"
- " document.forms[0].action = '%s';\n"
+ " document.forms[0].action = \"%s\";\n"
" document.forms[0].submit();\n"
" }\n"
" </script>\n", method, oidc_util_javascript_escape(r->pool, original_url));