don't echo query params on invalid requests to redirect URI; closes #212

thanks @LukasReschke; I'm sure there's some OWASP guideline that warns against this
OpenIDC · Jan 18, 2017 · 612e309 · 612e309
1 parent 90efd7a
commit 612e309
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,6 @@
+01/18/2017
+- don't echo the query parameters on the error page when an invalid request is made to the Redirect URI; closes #212; thanks @LukasReschke
+
 01/14/2017
 - use dynamic memory buffer for writing HTTP call responses; solves curl/mpm-event interference; see #207
 - bump to 2.1.4rc1

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -2845,8 +2845,8 @@ int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c,
 	/* something went wrong */
 	return oidc_util_html_send_error(r, c->error_template, "Invalid Request",
 			apr_psprintf(r->pool,
-					"The OpenID Connect callback URL received an invalid request: %s",
-					r->args), HTTP_INTERNAL_SERVER_ERROR);
+					"The OpenID Connect callback URL received an invalid request"),
+					HTTP_INTERNAL_SERVER_ERROR);
 }
 
 /*