Skip to content

Commit

Permalink
release 2.1.6 : security fix: scrub headers for "AuthType oauth20"
Browse files Browse the repository at this point in the history
Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
  • Loading branch information
zandbelt committed Feb 20, 2017
1 parent 951f44c commit 21e3728
Show file tree
Hide file tree
Showing 5 changed files with 13 additions and 2 deletions.
4 changes: 4 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
02/20/2017
- security fix: scrub headers for "AuthType oauth20"
- release 2.1.6

02/15/2017
- improve logging of session max duration and session inactivity timeout
- refactor so that the call to the refresh hook also resets the session inactivity timeout and passes tokens down
Expand Down
2 changes: 1 addition & 1 deletion configure.ac
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
AC_INIT([mod_auth_openidc],[2.1.6rc2],[hans.zandbelt@zmartzone.eu])
AC_INIT([mod_auth_openidc],[2.1.6],[hans.zandbelt@zmartzone.eu])

AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())

Expand Down
2 changes: 1 addition & 1 deletion src/mod_auth_openidc.c
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ static void oidc_scrub_request_headers(request_rec *r, const char *claim_prefix,
/*
* scrub all mod_auth_openidc related headers
*/
static void oidc_scrub_headers(request_rec *r) {
void oidc_scrub_headers(request_rec *r) {
oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
&auth_openidc_module);

Expand Down
1 change: 1 addition & 0 deletions src/mod_auth_openidc.h
Original file line number Diff line number Diff line change
Expand Up @@ -387,6 +387,7 @@ void oidc_request_state_set(request_rec *r, const char *key, const char *value);
const char*oidc_request_state_get(request_rec *r, const char *key);
int oidc_handle_jwks(request_rec *r, oidc_cfg *c);
apr_byte_t oidc_post_preserve_javascript(request_rec *r, const char *location, char **javascript, char **javascript_method);
void oidc_scrub_headers(request_rec *r);

// oidc_oauth
int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c);
Expand Down
6 changes: 6 additions & 0 deletions src/oauth.c
Original file line number Diff line number Diff line change
Expand Up @@ -664,6 +664,12 @@ int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c) {
"Could not set remote user");
}

/*
* we're going to pass the information that we have to the application,
* but first we need to scrub the headers that we're going to use for security reasons
*/
oidc_scrub_headers(r);

/* set the user authentication HTTP header if set and required */
char *authn_header = oidc_cfg_dir_authn_header(r);
int pass_headers = oidc_cfg_dir_pass_info_in_headers(r);
Expand Down

1 comment on commit 21e3728

@carnil
Copy link

@carnil carnil commented on 21e3728 Mar 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue fixed here was assigned CVE-2017-6413 by MITRE via https://cveform.mitre.org/

Please sign in to comment.