Skip to content
Permalink
Browse files

release 2.3.10.2: fix XSS vulnerability for poll parameter

in OIDC Session Management RP iframe; CSNC-2019-001; thanks Mischa
Bachmann

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
  • Loading branch information...
zandbelt committed Jan 22, 2019
1 parent 81147b0 commit 132a4111bf3791e76437619a66336dce2ce4c79b
Showing with 10 additions and 5 deletions.
  1. +4 −0 ChangeLog
  2. +1 −1 configure.ac
  3. +5 −4 src/mod_auth_openidc.c
@@ -1,3 +1,7 @@
01/22/2019
- fix XSS vulnerability CSNC-2019-001 wrt. poll parameter in OIDC Session Management RP iframe; thanks Mischa Bachmann
- release 2.3.10.2

01/16/2019
- fix bug in current URL detection where query parameters would be duplicated; see #420; thanks @jreynaert
- release 2.3.10.1
@@ -1,4 +1,4 @@
AC_INIT([mod_auth_openidc],[2.3.10.1],[hans.zandbelt@zmartzone.eu])
AC_INIT([mod_auth_openidc],[2.3.10.2],[hans.zandbelt@zmartzone.eu])

AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())

@@ -3106,7 +3106,7 @@ static int oidc_handle_session_management_iframe_rp(request_rec *r, oidc_cfg *c,
"\n"
" function setTimer() {\n"
" checkSession();\n"
" timerID = setInterval('checkSession()', %s);\n"
" timerID = setInterval('checkSession()', %d);\n"
" }\n"
"\n"
" function receiveMessage(e) {\n"
@@ -3149,12 +3149,13 @@ static int oidc_handle_session_management_iframe_rp(request_rec *r, oidc_cfg *c,

char *s_poll_interval = NULL;
oidc_util_get_request_parameter(r, "poll", &s_poll_interval);
if (s_poll_interval == NULL)
s_poll_interval = "3000";
int poll_interval = s_poll_interval ? strtol(s_poll_interval, NULL, 10) : 0;
if ((poll_interval <= 0) || (poll_interval > 3600 * 24))
poll_interval = 3000;

const char *redirect_uri = oidc_get_redirect_uri(r, c);
java_script = apr_psprintf(r->pool, java_script, origin, client_id,
session_state, op_iframe_id, s_poll_interval, redirect_uri,
session_state, op_iframe_id, poll_interval, redirect_uri,
redirect_uri);

return oidc_util_html_send(r, NULL, java_script, "setTimer", NULL, DONE);

0 comments on commit 132a411

Please sign in to comment.
You can’t perform that action at this time.