release 2.4.16.11: fix OIDCProviderAuthRequestMethod POST

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

ChangeLog

@@ -1,3 +1,9 @@
+04/02/2025
+- fix protected content leakage when using OIDCProviderAuthRequestMethod POST, see:
+    https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-rwph-878r
+- allow for regular Apache processing (e.g. setting response headers) when using OIDCProviderAuthRequestMethod POST
+- release 2.4.16.11
+
 03/21/2025
 - core: complete case-insensitive protocol/hostname/domain-name comparisons
 - release 2.4.16.10

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.16.10],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.16.11],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

src/handle/content.c

@@ -118,11 +118,18 @@ int oidc_content_handler(request_rec *r) {
 		/* discovery may result in a 200 HTML page or a redirect to an external URL */
 		rc = oidc_discovery_request(r, c);
 
-	} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) {
+	} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) {
 
+		/* sending POST authentication request */
+		OIDC_METRICS_COUNTER_INC(r, c, OM_CONTENT_REQUEST_AUTHN_POST);
+
+		rc = OK;
+
+	} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) {
+
+		/* sending POST preserve request */
 		OIDC_METRICS_COUNTER_INC(r, c, OM_CONTENT_REQUEST_POST_PRESERVE);
 
-		/* sending POST preserve */
 		rc = OK;
 
 	} /* else: an authenticated request for which content is produced downstream */

src/metrics.c

@@ -159,6 +159,7 @@ const oidc_metrics_counter_info_t _oidc_metrics_counters_info[] = {
   { OM_CLASS_CONTENT, "request.jwks",          "JWKs requests to the content handler" },
   { OM_CLASS_CONTENT, "request.discovery",     "discovery requests to the content handler" },
   { OM_CLASS_CONTENT, "request.post-preserve", "HTTP POST preservation requests to the content handler" },
+  { OM_CLASS_CONTENT, "request.authn-post",    "HTTP POST authentication requests to the content handler" },
   { OM_CLASS_CONTENT, "request.unknown",       "unknown requests to the content handler" },
 
   // KEEP THIS: end-of-counters

src/metrics.h

@@ -185,6 +185,7 @@ typedef enum {
 	OM_CONTENT_REQUEST_JWKS,
 	OM_CONTENT_REQUEST_DISCOVERY,
 	OM_CONTENT_REQUEST_POST_PRESERVE,
+	OM_CONTENT_REQUEST_AUTHN_POST,
 	OM_CONTENT_REQUEST_UNKNOWN,
 
 } oidc_metrics_counter_type_t;

src/mod_auth_openidc.h

@@ -56,7 +56,8 @@
 #define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
 #define OIDC_REQUEST_STATE_KEY_CLAIMS "c"
 #define OIDC_REQUEST_STATE_KEY_DISCOVERY "d"
-#define OIDC_REQUEST_STATE_KEY_AUTHN "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_POST "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE "p"
 #define OIDC_REQUEST_STATE_KEY_SAVE "s"
 #define OIDC_REQUEST_STATE_TRACE_ID "t"
 

src/proto/request.c

@@ -157,7 +157,7 @@ static int oidc_proto_request_form_post_param_add(void *rec, const char *key, co
 /*
  * make the browser POST parameters through Javascript auto-submit
  */
-static int oidc_proto_request_html_post(request_rec *r, const char *url, apr_table_t *params) {
+static void oidc_proto_request_html_post(request_rec *r, const char *url, apr_table_t *params) {
 
 	oidc_debug(r, "enter");
 
@@ -174,7 +174,7 @@ static int oidc_proto_request_html_post(request_rec *r, const char *url, apr_tab
 				 "      </p>\n"
 				 "    </form>\n");
 
-	return oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK);
+	oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK);
 }
 
 #define OIDC_REQUEST_OJBECT_COPY_FROM_REQUEST "copy_from_request"
@@ -688,8 +688,12 @@ int oidc_proto_request_auth(request_rec *r, struct oidc_provider_t *provider, co
 	if (oidc_proto_profile_auth_request_method_get(provider) == OIDC_AUTH_REQUEST_METHOD_POST) {
 
 		/* construct a HTML POST auto-submit page with the authorization request parameters */
-		rv =
-		    oidc_proto_request_html_post(r, oidc_cfg_provider_authorization_endpoint_url_get(provider), params);
+		oidc_proto_request_html_post(r, oidc_cfg_provider_authorization_endpoint_url_get(provider), params);
+
+		/* signal this to the content handler */
+		oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, "");
+		r->user = "";
+		rv = OK;
 
 	} else if (oidc_proto_profile_auth_request_method_get(provider) == OIDC_AUTH_REQUEST_METHOD_PAR) {
 
@@ -701,7 +705,6 @@ int oidc_proto_request_auth(request_rec *r, struct oidc_provider_t *provider, co
 		authorization_request =
 		    oidc_http_query_encoded_url(r, oidc_cfg_provider_authorization_endpoint_url_get(provider), params);
 
-		// TODO: should also enable this when using the POST binding for the auth request
 		/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
 		if (oidc_response_post_preserve_javascript(r, authorization_request, NULL, NULL) == FALSE) {
 
@@ -714,7 +717,7 @@ int oidc_proto_request_auth(request_rec *r, struct oidc_provider_t *provider, co
 		} else {
 
 			/* signal this to the content handler */
-			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, "");
+			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, "");
 			r->user = "";
 			rv = OK;
 		}