Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apache2-mod_auth_openidc for openSUSE:Factory checked in at 2022-12-24 14:51:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.1563 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_auth_openidc"
Sat Dec 24 14:51:32 2022 rev:28 rq:1044612 version:2.4.12.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc/apache2-mod_auth_openidc.changes 2022-11-18 15:44:26.902803348 +0100
+++ /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.1563/apache2-mod_auth_openidc.changes 2022-12-24 14:52:27.919692441 +0100
@@ -1,0 +2,11 @@
+Tue Dec 20 15:24:49 UTC 2022 - Michael Str��der
+
+- update to 2.4.12.2
+ * Security
+ - CVE-2022-23527: prevent open redirect in default setup when
+ OIDCRedirectURLsAllowed is not configured
+ see: GHSA-q6f2-285m-gr53
+ * Features
+ - allow overriding the type of lock used at compile time with OIDC_LOCK
+
+-------------------------------------------------------------------
Old:
----
mod_auth_openidc-2.4.12.1.tar.gz
New:
----
mod_auth_openidc-2.4.12.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_auth_openidc.spec ++++++
--- /var/tmp/diff_new_pack.DILLft/_old 2022-12-24 14:52:28.471695662 +0100
+++ /var/tmp/diff_new_pack.DILLft/_new 2022-12-24 14:52:28.475695686 +0100
@@ -17,7 +17,7 @@
Name: apache2-mod_auth_openidc
-Version: 2.4.12.1
+Version: 2.4.12.2
Release: 0
Summary: Apache2.x module for an OpenID Connect enabled Identity Provider
License: Apache-2.0
++++++ mod_auth_openidc-2.4.12.1.tar.gz -> mod_auth_openidc-2.4.12.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/AUTHORS new/mod_auth_openidc-2.4.12.2/AUTHORS
--- old/mod_auth_openidc-2.4.12.1/AUTHORS 2022-11-14 15:35:42.000000000 +0100
+++ new/mod_auth_openidc-2.4.12.2/AUTHORS 2022-12-09 10:26:49.000000000 +0100
@@ -85,3 +85,5 @@
blackwhiser1 https://github.com/blackwhiser1
Ruediger Pluem https://github.com/rpluem-vf
Nikhil Chaudhari https://github.com/nvchaudhari1991
+ Quentin Gillet
+ Brent van Laere
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/ChangeLog new/mod_auth_openidc-2.4.12.2/ChangeLog
--- old/mod_auth_openidc-2.4.12.1/ChangeLog 2022-11-15 15:14:21.000000000 +0100
+++ new/mod_auth_openidc-2.4.12.2/ChangeLog 2022-12-13 16:45:41.000000000 +0100
@@ -1,3 +1,16 @@
+12/13/2022
+- prevent open redirect in default setup i.e. when OIDCRedirectURLsAllowed is not configured
+ see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-...
+- release 2.4.12.2
+
+12/08/2022
+- simplify redis context code
+- bump to 2.4.12.2rc1
+
+11/18/2022
+- allow overriding the type of lock used at compile time with OIDC_LOCK
+- bump to 2.4.12.2rc0
+
11/15/2022
- release 2.4.12.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/configure new/mod_auth_openidc-2.4.12.2/configure
--- old/mod_auth_openidc-2.4.12.1/configure 2022-11-15 15:15:33.000000000 +0100
+++ new/mod_auth_openidc-2.4.12.2/configure 2022-12-13 18:14:29.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for mod_auth_openidc 2.4.12.1.
+# Generated by GNU Autoconf 2.71 for mod_auth_openidc 2.4.12.2.
#
# Report bugs to .
#
@@ -621,8 +621,8 @@
# Identity of this package.
PACKAGE_NAME='mod_auth_openidc'
PACKAGE_TARNAME='mod_auth_openidc'
-PACKAGE_VERSION='2.4.12.1'
-PACKAGE_STRING='mod_auth_openidc 2.4.12.1'
+PACKAGE_VERSION='2.4.12.2'
+PACKAGE_STRING='mod_auth_openidc 2.4.12.2'
PACKAGE_BUGREPORT='hans.zandbelt@zmartzone.eu'
PACKAGE_URL=''
@@ -1407,7 +1407,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures mod_auth_openidc 2.4.12.1 to adapt to many kinds of systems.
+\`configure' configures mod_auth_openidc 2.4.12.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1479,7 +1479,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of mod_auth_openidc 2.4.12.1:";;
+ short | recursive ) echo "Configuration of mod_auth_openidc 2.4.12.2:";;
esac
cat <<\_ACEOF
@@ -1621,7 +1621,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-mod_auth_openidc configure 2.4.12.1
+mod_auth_openidc configure 2.4.12.2
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -1839,7 +1839,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by mod_auth_openidc $as_me 2.4.12.1, which was
+It was created by mod_auth_openidc $as_me 2.4.12.2, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -2595,7 +2595,7 @@
-NAMEVER=mod_auth_openidc-2.4.12.1
+NAMEVER=mod_auth_openidc-2.4.12.2
am__api_version='1.16'
@@ -3112,7 +3112,7 @@
# Define the identity of the package.
PACKAGE='mod_auth_openidc'
- VERSION='2.4.12.1'
+ VERSION='2.4.12.2'
printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -14732,7 +14732,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by mod_auth_openidc $as_me 2.4.12.1, which was
+This file was extended by mod_auth_openidc $as_me 2.4.12.2, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -14800,7 +14800,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-mod_auth_openidc config.status 2.4.12.1
+mod_auth_openidc config.status 2.4.12.2
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/configure.ac new/mod_auth_openidc-2.4.12.2/configure.ac
--- old/mod_auth_openidc-2.4.12.1/configure.ac 2022-11-15 15:14:28.000000000 +0100
+++ new/mod_auth_openidc-2.4.12.2/configure.ac 2022-12-13 16:45:53.000000000 +0100
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.12.1],[hans.zandbelt@zmartzone.eu])
+AC_INIT([mod_auth_openidc],[2.4.12.2],[hans.zandbelt@zmartzone.eu])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/src/cache/common.c new/mod_auth_openidc-2.4.12.2/src/cache/common.c
--- old/mod_auth_openidc-2.4.12.1/src/cache/common.c 2022-11-13 12:59:47.000000000 +0100
+++ new/mod_auth_openidc-2.4.12.2/src/cache/common.c 2022-12-09 10:26:49.000000000 +0100
@@ -87,18 +87,22 @@
"%s/mod_auth_openidc_%s_mutex.%ld.%pp", dir, type,
(long int) getpid(), s);
- /* create the mutex lock */
- rv = apr_global_mutex_create(&m->mutex, (const char *) m->mutex_filename,
-#if APR_HAS_POSIXSEM_SERIALIZE
- APR_LOCK_POSIXSEM,
+ /* set the lock type */
+ apr_lockmech_e mech =
+#ifdef OIDC_LOCK
+ OIDC_LOCK
+#elif APR_HAS_POSIXSEM_SERIALIZE
+ APR_LOCK_POSIXSEM
#else
- APR_LOCK_DEFAULT,
+ APR_LOCK_DEFAULT
#endif
- s->process->pool);
+ ;
+
+ /* create the mutex lock */
+ rv =
+ apr_global_mutex_create(&m->mutex, (const char*) m->mutex_filename, mech, s->process->pool);
if (rv != APR_SUCCESS) {
- oidc_serror(s,
- "apr_global_mutex_create failed to create mutex on file %s: %s (%d)",
- m->mutex_filename, oidc_cache_status2str(s->process->pool, rv), rv);
+ oidc_serror(s, "apr_global_mutex_create failed to create mutex (%d) on file %s: %s (%d)", mech, m->mutex_filename, oidc_cache_status2str(s->process->pool, rv), rv);
return FALSE;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/src/cache/redis.c new/mod_auth_openidc-2.4.12.2/src/cache/redis.c
--- old/mod_auth_openidc-2.4.12.1/src/cache/redis.c 2022-11-14 15:34:36.000000000 +0100
+++ new/mod_auth_openidc-2.4.12.2/src/cache/redis.c 2022-12-11 09:13:59.000000000 +0100
@@ -52,20 +52,6 @@
#define REDIS_CONNECT_TIMEOUT_DEFAULT 5
#define REDIS_TIMEOUT_DEFAULT 5
-typedef struct oidc_cache_cfg_redis_ctx_t {
- char *host_str;
- apr_port_t port;
- redisContext *rctx;
-} oidc_cache_cfg_redis_ctx_t;
-
-static oidc_cache_cfg_redis_ctx_t* oidc_cache_redis_cfg_ctx_create(apr_pool_t *pool) {
- oidc_cache_cfg_redis_ctx_t *context = apr_pcalloc(pool, sizeof(oidc_cache_cfg_redis_ctx_t));
- context->host_str = NULL;
- context->port = 0;
- context->rctx = NULL;
- return context;
-}
-
/* create the cache context */
static oidc_cache_cfg_redis_t* oidc_cache_redis_cfg_create(apr_pool_t *pool) {
oidc_cache_cfg_redis_t *context = apr_pcalloc(pool, sizeof(oidc_cache_cfg_redis_t));
@@ -77,7 +63,9 @@
context->connect_timeout.tv_usec = 0;
context->timeout.tv_sec = REDIS_TIMEOUT_DEFAULT;
context->timeout.tv_usec = 0;
- context->ctx = NULL;
+ context->host_str = NULL;
+ context->port = 0;
+ context->rctx = NULL;
return context;
}
@@ -118,13 +106,11 @@
/*
* free resources allocated for the per-process Redis connection context
*/
-static apr_status_t oidc_cache_redis_disconnect(oidc_cache_cfg_redis_t *context) {
- oidc_cache_cfg_redis_ctx_t *rctx = NULL;
+apr_status_t oidc_cache_redis_disconnect(oidc_cache_cfg_redis_t *context) {
if (context != NULL) {
- rctx = (oidc_cache_cfg_redis_ctx_t*) context->ctx;
- if ((rctx != NULL) && (rctx->rctx != NULL)) {
- redisFree(rctx->rctx);
- rctx->rctx = NULL;
+ if (context->rctx != NULL) {
+ redisFree(context->rctx);
+ context->rctx = NULL;
}
}
return APR_SUCCESS;
@@ -136,7 +122,6 @@
static int oidc_cache_redis_post_config_impl(server_rec *s) {
apr_status_t rv = APR_SUCCESS;
oidc_cache_cfg_redis_t *context = NULL;
- oidc_cache_cfg_redis_ctx_t *rctx = NULL;
oidc_cfg *cfg = (oidc_cfg*) ap_get_module_config(s->module_config, &auth_openidc_module);
if (cfg->cache_cfg != NULL)
@@ -145,9 +130,7 @@
if (oidc_cache_redis_post_config(s, cfg, "redis") != OK)
return HTTP_INTERNAL_SERVER_ERROR;
- context = cfg->cache_cfg;
- rctx = oidc_cache_redis_cfg_ctx_create(s->process->pool);
- context->ctx = rctx;
+ context = (oidc_cache_cfg_redis_t *)cfg->cache_cfg;
/* parse the host:post tuple from the configuration */
if (cfg->cache_redis_server == NULL) {
@@ -157,19 +140,19 @@
char *scope_id;
rv =
- apr_parse_addr_port(&rctx->host_str, &scope_id, &rctx->port, cfg->cache_redis_server, s->process->pool);
+ apr_parse_addr_port(&context->host_str, &scope_id, &context->port, cfg->cache_redis_server, s->process->pool);
if (rv != APR_SUCCESS) {
oidc_serror(s, "failed to parse cache server: '%s'", cfg->cache_redis_server);
return HTTP_INTERNAL_SERVER_ERROR;
}
- if (rctx->host_str == NULL) {
+ if (context->host_str == NULL) {
oidc_serror(s, "failed to parse cache server, no hostname specified: '%s'", cfg->cache_redis_server);
return HTTP_INTERNAL_SERVER_ERROR;
}
- if (rctx->port == 0)
- rctx->port = 6379;
+ if (context->port == 0)
+ context->port = 6379;
context->connect = oidc_cache_redis_connect;
context->command = oidc_cache_redis_command;
@@ -211,38 +194,37 @@
*/
static apr_status_t oidc_cache_redis_connect(request_rec *r, oidc_cache_cfg_redis_t *context) {
- oidc_cache_cfg_redis_ctx_t *rctx = (oidc_cache_cfg_redis_ctx_t*) context->ctx;
redisReply *reply = NULL;
- if (rctx->rctx != NULL)
+ if (context->rctx != NULL)
goto end;
/* no connection, connect to the configured Redis server */
oidc_debug(r, "calling redisConnectWithTimeout");
- rctx->rctx = redisConnectWithTimeout(rctx->host_str, rctx->port, context->connect_timeout);
+ context->rctx = redisConnectWithTimeout(context->host_str, context->port, context->connect_timeout);
/* check for errors */
- if ((rctx->rctx == NULL) || (rctx->rctx->err != 0)) {
- oidc_error(r, "failed to connect to Redis server (%s:%d): '%s'", rctx->host_str, rctx->port, rctx->rctx != NULL ? rctx->rctx->errstr : "");
+ if ((context->rctx == NULL) || (context->rctx->err != 0)) {
+ oidc_error(r, "failed to connect to Redis server (%s:%d): '%s'", context->host_str, context->port, context->rctx != NULL ? context->rctx->errstr : "");
context->disconnect(context);
goto end;
}
/* log the connection */
- oidc_debug(r, "successfully connected to Redis server (%s:%d)", rctx->host_str, rctx->port);
+ oidc_debug(r, "successfully connected to Redis server (%s:%d)", context->host_str, context->port);
- if (redisSetTimeout(rctx->rctx, context->timeout) != REDIS_OK)
- oidc_error(r, "redisSetTimeout failed: %s", rctx->rctx->errstr);
+ if (redisSetTimeout(context->rctx, context->timeout) != REDIS_OK)
+ oidc_error(r, "redisSetTimeout failed: %s", context->rctx->errstr);
/* see if we need to authenticate to the Redis server */
if (context->passwd != NULL) {
if (context->username != NULL) {
- reply = redisCommand(rctx->rctx, "AUTH %s %s", context->username, context->passwd);
+ reply = redisCommand(context->rctx, "AUTH %s %s", context->username, context->passwd);
} else {
- reply = redisCommand(rctx->rctx, "AUTH %s", context->passwd);
+ reply = redisCommand(context->rctx, "AUTH %s", context->passwd);
}
if ((reply == NULL) || (reply->type == REDIS_REPLY_ERROR))
- oidc_error(r, "Redis AUTH command (%s:%d) failed: '%s' [%s]", rctx->host_str, rctx->port, rctx->rctx->errstr,
+ oidc_error(r, "Redis AUTH command (%s:%d) failed: '%s' [%s]", context->host_str, context->port, context->rctx->errstr,
reply ? reply->str : "");
else
oidc_debug(r, "successfully authenticated to the Redis server: %s",
@@ -254,9 +236,9 @@
/* see if we need to set the database */
if (context->database != -1) {
- reply = redisCommand(rctx->rctx, "SELECT %d", context->database);
+ reply = redisCommand(context->rctx, "SELECT %d", context->database);
if ((reply == NULL) || (reply->type == REDIS_REPLY_ERROR))
- oidc_error(r, "Redis SELECT command (%s:%d) failed: '%s' [%s]", rctx->host_str, rctx->port, rctx->rctx->errstr,
+ oidc_error(r, "Redis SELECT command (%s:%d) failed: '%s' [%s]", context->host_str, context->port, context->rctx->errstr,
reply ? reply->str : "");
else
oidc_debug(r, "successfully selected database %d on the Redis server: %s", context->database,
@@ -268,14 +250,13 @@
end:
- return (rctx->rctx != NULL) ? APR_SUCCESS : APR_EGENERAL;
+ return (context->rctx != NULL) ? APR_SUCCESS : APR_EGENERAL;
}
redisReply* oidc_cache_redis_command(request_rec *r, oidc_cache_cfg_redis_t *context, char **errstr,
const char *format, va_list ap) {
- oidc_cache_cfg_redis_ctx_t *rctx = (oidc_cache_cfg_redis_ctx_t*) context->ctx;
- redisReply *reply = redisvCommand(rctx->rctx, format, ap);
- *errstr = apr_pstrdup(r->pool, rctx->rctx->errstr);
+ redisReply *reply = redisvCommand(context->rctx, format, ap);
+ *errstr = apr_pstrdup(r->pool, context->rctx->errstr);
return reply;
}
@@ -287,7 +268,6 @@
static redisReply* oidc_cache_redis_exec(request_rec *r, oidc_cache_cfg_redis_t *context,
const char *format, ...) {
- oidc_cache_cfg_redis_ctx_t *rctx = (oidc_cache_cfg_redis_ctx_t*) context->ctx;
redisReply *reply = NULL;
char *errstr = NULL;
int i = 0;
@@ -311,7 +291,7 @@
break;
/* something went wrong, log it */
- oidc_error(r, "Redis command (attempt=%d to %s:%d) failed, disconnecting: '%s' [%s]", i, rctx->host_str, rctx->port, errstr,
+ oidc_error(r, "Redis command (attempt=%d to %s:%d) failed, disconnecting: '%s' [%s]", i, context->host_str, context->port, errstr,
reply ? reply->str : "");
/* free the reply (if there is one allocated) */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/src/cache/redis.h new/mod_auth_openidc-2.4.12.2/src/cache/redis.h
--- old/mod_auth_openidc-2.4.12.1/src/cache/redis.h 2022-11-14 15:34:36.000000000 +0100
+++ new/mod_auth_openidc-2.4.12.2/src/cache/redis.h 2022-12-11 09:13:59.000000000 +0100
@@ -61,7 +61,9 @@
int database;
struct timeval connect_timeout;
struct timeval timeout;
- void *ctx;
+ char *host_str;
+ apr_port_t port;
+ redisContext *rctx;
oidc_cache_redis_connect_function_t connect;
oidc_cache_redis_command_function_t command;
oidc_cache_redis_disconnect_function_t disconnect;
@@ -75,3 +77,4 @@
const char **value);
apr_byte_t oidc_cache_redis_set(request_rec *r, const char *section, const char *key,
const char *value, apr_time_t expiry);
+apr_status_t oidc_cache_redis_disconnect(oidc_cache_cfg_redis_t *context);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/src/mod_auth_openidc.c new/mod_auth_openidc-2.4.12.2/src/mod_auth_openidc.c
--- old/mod_auth_openidc-2.4.12.1/src/mod_auth_openidc.c 2022-11-14 15:36:15.000000000 +0100
+++ new/mod_auth_openidc-2.4.12.2/src/mod_auth_openidc.c 2022-12-13 16:40:49.000000000 +0100
@@ -2537,15 +2537,15 @@
oidc_error(r, "%s: %s", *err_str, *err_desc);
return FALSE;
}
-
- if ((strstr(url, "/%09") != NULL) || (strstr(url, "/%2f") != NULL)
- || (strstr(url, "/%68") != NULL) || (strstr(url, "/http:") != NULL)
- || (strstr(url, "/https:") != NULL) || (strstr(url, "/javascript:") != NULL)
+ if ( (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL)
+ || (strstr(url, "/\t") != NULL)
+ || (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL)
+ || (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL)
|| (strstr(url, "/���") != NULL) || (strstr(url, "/���") != NULL)
|| (strstr(url, "/���") != NULL) || (strstr(url, "/���") != NULL)
|| (strstr(url, "/���") != NULL) || (strstr(url, "/���") != NULL)
- || (strstr(url, "/<") != NULL) || (strstr(url, "%01javascript:") != NULL)
- || (strstr(url, "/%5c") != NULL)) {
+ || (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL)
+ || (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) {
*err_str = apr_pstrdup(r->pool, "Invalid URL");
*err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
oidc_error(r, "%s: %s", *err_str, *err_desc);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/src/mod_auth_openidc.h new/mod_auth_openidc-2.4.12.2/src/mod_auth_openidc.h
--- old/mod_auth_openidc-2.4.12.1/src/mod_auth_openidc.h 2022-11-14 15:36:15.000000000 +0100
+++ new/mod_auth_openidc-2.4.12.2/src/mod_auth_openidc.h 2022-12-13 16:33:07.000000000 +0100
@@ -853,6 +853,7 @@
char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
apr_byte_t oidc_enabled(request_rec *r);
char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params);
+char* oidc_util_strcasestr(const char *s1, const char *s2);
/* HTTP header constants */
#define OIDC_HTTP_HDR_COOKIE "Cookie"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/src/util.c new/mod_auth_openidc-2.4.12.2/src/util.c
--- old/mod_auth_openidc-2.4.12.1/src/util.c 2022-11-14 15:36:15.000000000 +0100
+++ new/mod_auth_openidc-2.4.12.2/src/util.c 2022-12-13 16:32:44.000000000 +0100
@@ -434,7 +434,7 @@
return output;
}
-static char* oidc_util_strcasestr(const char *s1, const char *s2) {
+char* oidc_util_strcasestr(const char *s1, const char *s2) {
const char *s = s1;
const char *p = s2;
do {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_auth_openidc-2.4.12.1/test/open-redirect-payload-list.txt new/mod_auth_openidc-2.4.12.2/test/open-redirect-payload-list.txt
--- old/mod_auth_openidc-2.4.12.1/test/open-redirect-payload-list.txt 2022-11-13 12:59:47.000000000 +0100
+++ new/mod_auth_openidc-2.4.12.2/test/open-redirect-payload-list.txt 2022-12-13 16:40:29.000000000 +0100
@@ -1,4 +1,5 @@
/%09/example.com
+/ /example.com
/%2f%2fexample.com
/%2f%2f%2fbing.com%2f%3fwww.omise.co
/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/