Skip to content

Commit 00c315c

Browse files
committed
avoid XSS vulnerability when using OIDCPreservePost On
and supplying URLs that contain single quotes; thanks @oss-aimoto Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
1 parent c09505f commit 00c315c

File tree

2 files changed

+5
-1
lines changed

2 files changed

+5
-1
lines changed

Diff for: ChangeLog

+4
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,7 @@
1+
06/25/2021
2+
- avoid XSS vulnerability when using OIDCPreservePost On and supplying URLs that contain single quotes
3+
thanks @oss-aimoto
4+
15
06/21/2021
26
- strip A256GCM JWT header from encrypted JWTS used for state cookies, cache encryption and by-value session cookies
37
resulting in smaller cookies and reduced cache content size

Diff for: src/mod_auth_openidc.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -513,7 +513,7 @@ static int oidc_request_post_preserved_restore(request_rec *r,
513513
" input.type = \"hidden\";\n"
514514
" document.forms[0].appendChild(input);\n"
515515
" }\n"
516-
" document.forms[0].action = '%s';\n"
516+
" document.forms[0].action = \"%s\";\n"
517517
" document.forms[0].submit();\n"
518518
" }\n"
519519
" </script>\n", method, original_url);

0 commit comments

Comments
 (0)