File harden-refresh-token-request.patch of Package apache2-mod_auth_openidc.28532

Index: mod_auth_openidc-2.3.8/src/mod_auth_openidc.c
===================================================================
--- mod_auth_openidc-2.3.8.orig/src/mod_auth_openidc.c
+++ mod_auth_openidc-2.3.8/src/mod_auth_openidc.c
@@ -2993,6 +2993,8 @@ static int oidc_handle_refresh_token_req
 	char *return_to = NULL;
 	char *r_access_token = NULL;
 	char *error_code = NULL;
+	char *error_str = NULL;
+	char *error_description = NULL;
 
 	/* get the command passed to the session management handler */
 	oidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_REFRESH,
@@ -3007,6 +3009,15 @@ static int oidc_handle_refresh_token_req
 		return HTTP_INTERNAL_SERVER_ERROR;
 	}
 
+	/* do input validation on the return to parameter value */
+	if (oidc_validate_redirect_url(r, c, return_to, TRUE, &error_str,
+			&error_description) == FALSE) {
+		oidc_error(r, "return_to URL validation failed: %s: %s", error_str,
+				error_description);
+		return HTTP_INTERNAL_SERVER_ERROR;
+	}
+	
+
 	if (r_access_token == NULL) {
 		oidc_error(r,
 				"refresh token request handler called with no access_token parameter");
openSUSE Build Service is sponsored by