Skip to content
Permalink
Browse files

don't echo query params on invalid requests to redirect URI; closes #212



thanks @LukasReschke; I'm sure there's some OWASP guideline that warns
against this
  • Loading branch information...
zandbelt committed Jan 18, 2017
1 parent 90efd7a commit 612e309bfffd6f9b8ad7cdccda3019fc0865f3b4
Showing with 5 additions and 2 deletions.
  1. +3 −0 ChangeLog
  2. +2 −2 src/mod_auth_openidc.c
@@ -1,3 +1,6 @@
01/18/2017
- don't echo the query parameters on the error page when an invalid request is made to the Redirect URI; closes #212; thanks @LukasReschke

01/14/2017
- use dynamic memory buffer for writing HTTP call responses; solves curl/mpm-event interference; see #207
- bump to 2.1.4rc1
@@ -2845,8 +2845,8 @@ int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c,
/* something went wrong */
return oidc_util_html_send_error(r, c->error_template, "Invalid Request",
apr_psprintf(r->pool,
"The OpenID Connect callback URL received an invalid request: %s",
r->args), HTTP_INTERNAL_SERVER_ERROR);
"The OpenID Connect callback URL received an invalid request"),
HTTP_INTERNAL_SERVER_ERROR);
}

/*

0 comments on commit 612e309

Please sign in to comment.
You can’t perform that action at this time.