![](https://seccdn.libravatar.org/avatar/128a7b98d536a9cf9b4d4d5a90d63475.jpg?s=120&d=mm&r=g)
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apache2-mod_auth_openidc for openSUSE:Factory checked in at 2022-12-24 14:51:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.1563 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "apache2-mod_auth_openidc" Sat Dec 24 14:51:32 2022 rev:28 rq:1044612 version:2.4.12.2 Changes: -------- --- /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc/apache2-mod_auth_openidc.changes 2022-11-18 15:44:26.902803348 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.1563/apache2-mod_auth_openidc.changes 2022-12-24 14:52:27.919692441 +0100 @@ -1,0 +2,11 @@ +Tue Dec 20 15:24:49 UTC 2022 - Michael Str��der <michael@stroeder.com> + +- update to 2.4.12.2 + * Security + - CVE-2022-23527: prevent open redirect in default setup when + OIDCRedirectURLsAllowed is not configured + see: GHSA-q6f2-285m-gr53 + * Features + - allow overriding the type of lock used at compile time with OIDC_LOCK + +------------------------------------------------------------------- Old: ---- mod_auth_openidc-2.4.12.1.tar.gz New: ---- mod_auth_openidc-2.4.12.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_auth_openidc.spec ++++++ --- /var/tmp/diff_new_pack.DILLft/_old 2022-12-24 14:52:28.471695662 +0100 +++ /var/tmp/diff_new_pack.DILLft/_new 2022-12-24 14:52:28.475695686 +0100 @@ -17,7 +17,7 @@ Name: apache2-mod_auth_openidc -Version: 2.4.12.1 +Version: 2.4.12.2 Release: 0 Summary: Apache2.x module for an OpenID Connect enabled Identity Provider License: Apache-2.0 ++++++ mod_auth_openidc-2.4.12.1.tar.gz -> mod_auth_openidc-2.4.12.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/AUTHORS new/mod_auth_openidc-2.4.12.2/AUTHORS --- old/mod_auth_openidc-2.4.12.1/AUTHORS 2022-11-14 15:35:42.000000000 +0100 +++ new/mod_auth_openidc-2.4.12.2/AUTHORS 2022-12-09 10:26:49.000000000 +0100 @@ -85,3 +85,5 @@ blackwhiser1 <https://github.com/blackwhiser1> Ruediger Pluem <https://github.com/rpluem-vf> Nikhil Chaudhari <https://github.com/nvchaudhari1991> + Quentin Gillet <qgillet@gmail.com> + Brent van Laere <brent.van.laere@gmail.com> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/ChangeLog new/mod_auth_openidc-2.4.12.2/ChangeLog --- old/mod_auth_openidc-2.4.12.1/ChangeLog 2022-11-15 15:14:21.000000000 +0100 +++ new/mod_auth_openidc-2.4.12.2/ChangeLog 2022-12-13 16:45:41.000000000 +0100 @@ -1,3 +1,16 @@ +12/13/2022 +- prevent open redirect in default setup i.e. when OIDCRedirectURLsAllowed is not configured + see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-... +- release 2.4.12.2 + +12/08/2022 +- simplify redis context code +- bump to 2.4.12.2rc1 + +11/18/2022 +- allow overriding the type of lock used at compile time with OIDC_LOCK +- bump to 2.4.12.2rc0 + 11/15/2022 - release 2.4.12.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/configure new/mod_auth_openidc-2.4.12.2/configure --- old/mod_auth_openidc-2.4.12.1/configure 2022-11-15 15:15:33.000000000 +0100 +++ new/mod_auth_openidc-2.4.12.2/configure 2022-12-13 18:14:29.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for mod_auth_openidc 2.4.12.1. +# Generated by GNU Autoconf 2.71 for mod_auth_openidc 2.4.12.2. # # Report bugs to <hans.zandbelt@zmartzone.eu>. # @@ -621,8 +621,8 @@ # Identity of this package. PACKAGE_NAME='mod_auth_openidc' PACKAGE_TARNAME='mod_auth_openidc' -PACKAGE_VERSION='2.4.12.1' -PACKAGE_STRING='mod_auth_openidc 2.4.12.1' +PACKAGE_VERSION='2.4.12.2' +PACKAGE_STRING='mod_auth_openidc 2.4.12.2' PACKAGE_BUGREPORT='hans.zandbelt@zmartzone.eu' PACKAGE_URL='' @@ -1407,7 +1407,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures mod_auth_openidc 2.4.12.1 to adapt to many kinds of systems. +\`configure' configures mod_auth_openidc 2.4.12.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1479,7 +1479,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of mod_auth_openidc 2.4.12.1:";; + short | recursive ) echo "Configuration of mod_auth_openidc 2.4.12.2:";; esac cat <<\_ACEOF @@ -1621,7 +1621,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -mod_auth_openidc configure 2.4.12.1 +mod_auth_openidc configure 2.4.12.2 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -1839,7 +1839,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by mod_auth_openidc $as_me 2.4.12.1, which was +It was created by mod_auth_openidc $as_me 2.4.12.2, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -2595,7 +2595,7 @@ -NAMEVER=mod_auth_openidc-2.4.12.1 +NAMEVER=mod_auth_openidc-2.4.12.2 am__api_version='1.16' @@ -3112,7 +3112,7 @@ # Define the identity of the package. PACKAGE='mod_auth_openidc' - VERSION='2.4.12.1' + VERSION='2.4.12.2' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -14732,7 +14732,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by mod_auth_openidc $as_me 2.4.12.1, which was +This file was extended by mod_auth_openidc $as_me 2.4.12.2, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -14800,7 +14800,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -mod_auth_openidc config.status 2.4.12.1 +mod_auth_openidc config.status 2.4.12.2 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/configure.ac new/mod_auth_openidc-2.4.12.2/configure.ac --- old/mod_auth_openidc-2.4.12.1/configure.ac 2022-11-15 15:14:28.000000000 +0100 +++ new/mod_auth_openidc-2.4.12.2/configure.ac 2022-12-13 16:45:53.000000000 +0100 @@ -1,4 +1,4 @@ -AC_INIT([mod_auth_openidc],[2.4.12.1],[hans.zandbelt@zmartzone.eu]) +AC_INIT([mod_auth_openidc],[2.4.12.2],[hans.zandbelt@zmartzone.eu]) AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION()) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/src/cache/common.c new/mod_auth_openidc-2.4.12.2/src/cache/common.c --- old/mod_auth_openidc-2.4.12.1/src/cache/common.c 2022-11-13 12:59:47.000000000 +0100 +++ new/mod_auth_openidc-2.4.12.2/src/cache/common.c 2022-12-09 10:26:49.000000000 +0100 @@ -87,18 +87,22 @@ "%s/mod_auth_openidc_%s_mutex.%ld.%pp", dir, type, (long int) getpid(), s); - /* create the mutex lock */ - rv = apr_global_mutex_create(&m->mutex, (const char *) m->mutex_filename, -#if APR_HAS_POSIXSEM_SERIALIZE - APR_LOCK_POSIXSEM, + /* set the lock type */ + apr_lockmech_e mech = +#ifdef OIDC_LOCK + OIDC_LOCK +#elif APR_HAS_POSIXSEM_SERIALIZE + APR_LOCK_POSIXSEM #else - APR_LOCK_DEFAULT, + APR_LOCK_DEFAULT #endif - s->process->pool); + ; + + /* create the mutex lock */ + rv = + apr_global_mutex_create(&m->mutex, (const char*) m->mutex_filename, mech, s->process->pool); if (rv != APR_SUCCESS) { - oidc_serror(s, - "apr_global_mutex_create failed to create mutex on file %s: %s (%d)", - m->mutex_filename, oidc_cache_status2str(s->process->pool, rv), rv); + oidc_serror(s, "apr_global_mutex_create failed to create mutex (%d) on file %s: %s (%d)", mech, m->mutex_filename, oidc_cache_status2str(s->process->pool, rv), rv); return FALSE; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/src/cache/redis.c new/mod_auth_openidc-2.4.12.2/src/cache/redis.c --- old/mod_auth_openidc-2.4.12.1/src/cache/redis.c 2022-11-14 15:34:36.000000000 +0100 +++ new/mod_auth_openidc-2.4.12.2/src/cache/redis.c 2022-12-11 09:13:59.000000000 +0100 @@ -52,20 +52,6 @@ #define REDIS_CONNECT_TIMEOUT_DEFAULT 5 #define REDIS_TIMEOUT_DEFAULT 5 -typedef struct oidc_cache_cfg_redis_ctx_t { - char *host_str; - apr_port_t port; - redisContext *rctx; -} oidc_cache_cfg_redis_ctx_t; - -static oidc_cache_cfg_redis_ctx_t* oidc_cache_redis_cfg_ctx_create(apr_pool_t *pool) { - oidc_cache_cfg_redis_ctx_t *context = apr_pcalloc(pool, sizeof(oidc_cache_cfg_redis_ctx_t)); - context->host_str = NULL; - context->port = 0; - context->rctx = NULL; - return context; -} - /* create the cache context */ static oidc_cache_cfg_redis_t* oidc_cache_redis_cfg_create(apr_pool_t *pool) { oidc_cache_cfg_redis_t *context = apr_pcalloc(pool, sizeof(oidc_cache_cfg_redis_t)); @@ -77,7 +63,9 @@ context->connect_timeout.tv_usec = 0; context->timeout.tv_sec = REDIS_TIMEOUT_DEFAULT; context->timeout.tv_usec = 0; - context->ctx = NULL; + context->host_str = NULL; + context->port = 0; + context->rctx = NULL; return context; } @@ -118,13 +106,11 @@ /* * free resources allocated for the per-process Redis connection context */ -static apr_status_t oidc_cache_redis_disconnect(oidc_cache_cfg_redis_t *context) { - oidc_cache_cfg_redis_ctx_t *rctx = NULL; +apr_status_t oidc_cache_redis_disconnect(oidc_cache_cfg_redis_t *context) { if (context != NULL) { - rctx = (oidc_cache_cfg_redis_ctx_t*) context->ctx; - if ((rctx != NULL) && (rctx->rctx != NULL)) { - redisFree(rctx->rctx); - rctx->rctx = NULL; + if (context->rctx != NULL) { + redisFree(context->rctx); + context->rctx = NULL; } } return APR_SUCCESS; @@ -136,7 +122,6 @@ static int oidc_cache_redis_post_config_impl(server_rec *s) { apr_status_t rv = APR_SUCCESS; oidc_cache_cfg_redis_t *context = NULL; - oidc_cache_cfg_redis_ctx_t *rctx = NULL; oidc_cfg *cfg = (oidc_cfg*) ap_get_module_config(s->module_config, &auth_openidc_module); if (cfg->cache_cfg != NULL) @@ -145,9 +130,7 @@ if (oidc_cache_redis_post_config(s, cfg, "redis") != OK) return HTTP_INTERNAL_SERVER_ERROR; - context = cfg->cache_cfg; - rctx = oidc_cache_redis_cfg_ctx_create(s->process->pool); - context->ctx = rctx; + context = (oidc_cache_cfg_redis_t *)cfg->cache_cfg; /* parse the host:post tuple from the configuration */ if (cfg->cache_redis_server == NULL) { @@ -157,19 +140,19 @@ char *scope_id; rv = - apr_parse_addr_port(&rctx->host_str, &scope_id, &rctx->port, cfg->cache_redis_server, s->process->pool); + apr_parse_addr_port(&context->host_str, &scope_id, &context->port, cfg->cache_redis_server, s->process->pool); if (rv != APR_SUCCESS) { oidc_serror(s, "failed to parse cache server: '%s'", cfg->cache_redis_server); return HTTP_INTERNAL_SERVER_ERROR; } - if (rctx->host_str == NULL) { + if (context->host_str == NULL) { oidc_serror(s, "failed to parse cache server, no hostname specified: '%s'", cfg->cache_redis_server); return HTTP_INTERNAL_SERVER_ERROR; } - if (rctx->port == 0) - rctx->port = 6379; + if (context->port == 0) + context->port = 6379; context->connect = oidc_cache_redis_connect; context->command = oidc_cache_redis_command; @@ -211,38 +194,37 @@ */ static apr_status_t oidc_cache_redis_connect(request_rec *r, oidc_cache_cfg_redis_t *context) { - oidc_cache_cfg_redis_ctx_t *rctx = (oidc_cache_cfg_redis_ctx_t*) context->ctx; redisReply *reply = NULL; - if (rctx->rctx != NULL) + if (context->rctx != NULL) goto end; /* no connection, connect to the configured Redis server */ oidc_debug(r, "calling redisConnectWithTimeout"); - rctx->rctx = redisConnectWithTimeout(rctx->host_str, rctx->port, context->connect_timeout); + context->rctx = redisConnectWithTimeout(context->host_str, context->port, context->connect_timeout); /* check for errors */ - if ((rctx->rctx == NULL) || (rctx->rctx->err != 0)) { - oidc_error(r, "failed to connect to Redis server (%s:%d): '%s'", rctx->host_str, rctx->port, rctx->rctx != NULL ? rctx->rctx->errstr : ""); + if ((context->rctx == NULL) || (context->rctx->err != 0)) { + oidc_error(r, "failed to connect to Redis server (%s:%d): '%s'", context->host_str, context->port, context->rctx != NULL ? context->rctx->errstr : ""); context->disconnect(context); goto end; } /* log the connection */ - oidc_debug(r, "successfully connected to Redis server (%s:%d)", rctx->host_str, rctx->port); + oidc_debug(r, "successfully connected to Redis server (%s:%d)", context->host_str, context->port); - if (redisSetTimeout(rctx->rctx, context->timeout) != REDIS_OK) - oidc_error(r, "redisSetTimeout failed: %s", rctx->rctx->errstr); + if (redisSetTimeout(context->rctx, context->timeout) != REDIS_OK) + oidc_error(r, "redisSetTimeout failed: %s", context->rctx->errstr); /* see if we need to authenticate to the Redis server */ if (context->passwd != NULL) { if (context->username != NULL) { - reply = redisCommand(rctx->rctx, "AUTH %s %s", context->username, context->passwd); + reply = redisCommand(context->rctx, "AUTH %s %s", context->username, context->passwd); } else { - reply = redisCommand(rctx->rctx, "AUTH %s", context->passwd); + reply = redisCommand(context->rctx, "AUTH %s", context->passwd); } if ((reply == NULL) || (reply->type == REDIS_REPLY_ERROR)) - oidc_error(r, "Redis AUTH command (%s:%d) failed: '%s' [%s]", rctx->host_str, rctx->port, rctx->rctx->errstr, + oidc_error(r, "Redis AUTH command (%s:%d) failed: '%s' [%s]", context->host_str, context->port, context->rctx->errstr, reply ? reply->str : "<n/a>"); else oidc_debug(r, "successfully authenticated to the Redis server: %s", @@ -254,9 +236,9 @@ /* see if we need to set the database */ if (context->database != -1) { - reply = redisCommand(rctx->rctx, "SELECT %d", context->database); + reply = redisCommand(context->rctx, "SELECT %d", context->database); if ((reply == NULL) || (reply->type == REDIS_REPLY_ERROR)) - oidc_error(r, "Redis SELECT command (%s:%d) failed: '%s' [%s]", rctx->host_str, rctx->port, rctx->rctx->errstr, + oidc_error(r, "Redis SELECT command (%s:%d) failed: '%s' [%s]", context->host_str, context->port, context->rctx->errstr, reply ? reply->str : "<n/a>"); else oidc_debug(r, "successfully selected database %d on the Redis server: %s", context->database, @@ -268,14 +250,13 @@ end: - return (rctx->rctx != NULL) ? APR_SUCCESS : APR_EGENERAL; + return (context->rctx != NULL) ? APR_SUCCESS : APR_EGENERAL; } redisReply* oidc_cache_redis_command(request_rec *r, oidc_cache_cfg_redis_t *context, char **errstr, const char *format, va_list ap) { - oidc_cache_cfg_redis_ctx_t *rctx = (oidc_cache_cfg_redis_ctx_t*) context->ctx; - redisReply *reply = redisvCommand(rctx->rctx, format, ap); - *errstr = apr_pstrdup(r->pool, rctx->rctx->errstr); + redisReply *reply = redisvCommand(context->rctx, format, ap); + *errstr = apr_pstrdup(r->pool, context->rctx->errstr); return reply; } @@ -287,7 +268,6 @@ static redisReply* oidc_cache_redis_exec(request_rec *r, oidc_cache_cfg_redis_t *context, const char *format, ...) { - oidc_cache_cfg_redis_ctx_t *rctx = (oidc_cache_cfg_redis_ctx_t*) context->ctx; redisReply *reply = NULL; char *errstr = NULL; int i = 0; @@ -311,7 +291,7 @@ break; /* something went wrong, log it */ - oidc_error(r, "Redis command (attempt=%d to %s:%d) failed, disconnecting: '%s' [%s]", i, rctx->host_str, rctx->port, errstr, + oidc_error(r, "Redis command (attempt=%d to %s:%d) failed, disconnecting: '%s' [%s]", i, context->host_str, context->port, errstr, reply ? reply->str : "<n/a>"); /* free the reply (if there is one allocated) */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/src/cache/redis.h new/mod_auth_openidc-2.4.12.2/src/cache/redis.h --- old/mod_auth_openidc-2.4.12.1/src/cache/redis.h 2022-11-14 15:34:36.000000000 +0100 +++ new/mod_auth_openidc-2.4.12.2/src/cache/redis.h 2022-12-11 09:13:59.000000000 +0100 @@ -61,7 +61,9 @@ int database; struct timeval connect_timeout; struct timeval timeout; - void *ctx; + char *host_str; + apr_port_t port; + redisContext *rctx; oidc_cache_redis_connect_function_t connect; oidc_cache_redis_command_function_t command; oidc_cache_redis_disconnect_function_t disconnect; @@ -75,3 +77,4 @@ const char **value); apr_byte_t oidc_cache_redis_set(request_rec *r, const char *section, const char *key, const char *value, apr_time_t expiry); +apr_status_t oidc_cache_redis_disconnect(oidc_cache_cfg_redis_t *context); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/src/mod_auth_openidc.c new/mod_auth_openidc-2.4.12.2/src/mod_auth_openidc.c --- old/mod_auth_openidc-2.4.12.1/src/mod_auth_openidc.c 2022-11-14 15:36:15.000000000 +0100 +++ new/mod_auth_openidc-2.4.12.2/src/mod_auth_openidc.c 2022-12-13 16:40:49.000000000 +0100 @@ -2537,15 +2537,15 @@ oidc_error(r, "%s: %s", *err_str, *err_desc); return FALSE; } - - if ((strstr(url, "/%09") != NULL) || (strstr(url, "/%2f") != NULL) - || (strstr(url, "/%68") != NULL) || (strstr(url, "/http:") != NULL) - || (strstr(url, "/https:") != NULL) || (strstr(url, "/javascript:") != NULL) + if ( (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL) + || (strstr(url, "/\t") != NULL) + || (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL) + || (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL) || (strstr(url, "/���") != NULL) || (strstr(url, "/���") != NULL) || (strstr(url, "/���") != NULL) || (strstr(url, "/���") != NULL) || (strstr(url, "/���") != NULL) || (strstr(url, "/���") != NULL) - || (strstr(url, "/<") != NULL) || (strstr(url, "%01javascript:") != NULL) - || (strstr(url, "/%5c") != NULL)) { + || (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL) + || (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) { *err_str = apr_pstrdup(r->pool, "Invalid URL"); *err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url); oidc_error(r, "%s: %s", *err_str, *err_desc); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/src/mod_auth_openidc.h new/mod_auth_openidc-2.4.12.2/src/mod_auth_openidc.h --- old/mod_auth_openidc-2.4.12.1/src/mod_auth_openidc.h 2022-11-14 15:36:15.000000000 +0100 +++ new/mod_auth_openidc-2.4.12.2/src/mod_auth_openidc.h 2022-12-13 16:33:07.000000000 +0100 @@ -853,6 +853,7 @@ char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename); apr_byte_t oidc_enabled(request_rec *r); char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params); +char* oidc_util_strcasestr(const char *s1, const char *s2); /* HTTP header constants */ #define OIDC_HTTP_HDR_COOKIE "Cookie" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/src/util.c new/mod_auth_openidc-2.4.12.2/src/util.c --- old/mod_auth_openidc-2.4.12.1/src/util.c 2022-11-14 15:36:15.000000000 +0100 +++ new/mod_auth_openidc-2.4.12.2/src/util.c 2022-12-13 16:32:44.000000000 +0100 @@ -434,7 +434,7 @@ return output; } -static char* oidc_util_strcasestr(const char *s1, const char *s2) { +char* oidc_util_strcasestr(const char *s1, const char *s2) { const char *s = s1; const char *p = s2; do { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/test/open-redirect-payload-list.txt new/mod_auth_openidc-2.4.12.2/test/open-redirect-payload-list.txt --- old/mod_auth_openidc-2.4.12.1/test/open-redirect-payload-list.txt 2022-11-13 12:59:47.000000000 +0100 +++ new/mod_auth_openidc-2.4.12.2/test/open-redirect-payload-list.txt 2022-12-13 16:40:29.000000000 +0100 @@ -1,4 +1,5 @@ /%09/example.com +/ /example.com /%2f%2fexample.com /%2f%2f%2fbing.com%2f%3fwww.omise.co /%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/