Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package apache2-mod_auth_openidc for 
openSUSE:Factory checked in at 2022-08-24 15:10:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc (Old)
 and      /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.2083 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "apache2-mod_auth_openidc"

Wed Aug 24 15:10:56 2022 rev:25 rq:998851 version:2.4.11.3

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/apache2-mod_auth_openidc/apache2-mod_auth_openidc.changes
        2022-07-28 20:59:41.091760191 +0200
+++ 
/work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.2083/apache2-mod_auth_openidc.changes
      2022-08-24 15:11:12.044506698 +0200
@@ -1,0 +2,14 @@
+Tue Aug 23 13:51:51 UTC 2022 - Michael Str??der <mich...@stroeder.com>
+
+- update to 2.4.11.3
+  * Bugfixes
+    - avoid memory leak when using PCRE2 regular expressions with
+      array matching; closes #902
+    - avoid memory leak when cjose_jws_get_plaintext fails; closes #903
+    - fix handling of IPv6 based logout URLs
+  * Features
+    - Use optionally provided sid and iss request parameters during
+      front channel logout; see #855
+    - support Forwarded header in addition to X-Forwarded-*; see #853
+
+-------------------------------------------------------------------

Old:
----
  mod_auth_openidc-2.4.11.2.tar.gz

New:
----
  mod_auth_openidc-2.4.11.3.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ apache2-mod_auth_openidc.spec ++++++
--- /var/tmp/diff_new_pack.LAxFv2/_old  2022-08-24 15:11:12.524507162 +0200
+++ /var/tmp/diff_new_pack.LAxFv2/_new  2022-08-24 15:11:12.532507170 +0200
@@ -17,7 +17,7 @@
 
 
 Name:           apache2-mod_auth_openidc
-Version:        2.4.11.2
+Version:        2.4.11.3
 Release:        0
 Summary:        Apache2.x module for an OpenID Connect enabled Identity 
Provider
 License:        Apache-2.0

++++++ mod_auth_openidc-2.4.11.2.tar.gz -> mod_auth_openidc-2.4.11.3.tar.gz 
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mod_auth_openidc-2.4.11.2/AUTHORS 
new/mod_auth_openidc-2.4.11.3/AUTHORS
--- old/mod_auth_openidc-2.4.11.2/AUTHORS       2022-04-22 19:17:17.000000000 
+0200
+++ new/mod_auth_openidc-2.4.11.3/AUTHORS       2022-08-22 12:50:22.000000000 
+0200
@@ -83,3 +83,4 @@
        Daan Bakker <https://github.com/dbakker>
        smanolache <https://github.com/smanolache>
        blackwhiser1 <https://github.com/blackwhiser1>
+       Ruediger Pluem <https://github.com/rpluem-vf>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mod_auth_openidc-2.4.11.2/ChangeLog 
new/mod_auth_openidc-2.4.11.3/ChangeLog
--- old/mod_auth_openidc-2.4.11.2/ChangeLog     2022-05-05 09:42:54.000000000 
+0200
+++ new/mod_auth_openidc-2.4.11.3/ChangeLog     2022-08-23 12:56:31.000000000 
+0200
@@ -1,3 +1,23 @@
+08/22/2022
+- release 2.4.11.3
+
+08/15/2022
+- avoid memory leak when using PCRE2 regular expressions with array matching; 
closes #902; thanks @smanolache
+- avoid memory leak when cjose_jws_get_plaintext fails; closes #903; thanks 
@smanolache
+- bump to 2.4.11.3rc4
+
+05/20/2022
+- fix handling of IPv6 based logout URLs; thanks @@codemaker219
+- bump to 2.4.11.3rc1
+
+05/16/2022
+- Use optionally provided sid and iss request parameters during front channel
+  logout; see #855; thanks @rpluem-vf
+
+05/06/2022
+- support Forwarded header in addition to X-Forwarded-*; see #853; thanks 
@studersi
+- bump to 2.4.11.3rc0
+
 05/05/2022
 - release 2.4.11.2
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mod_auth_openidc-2.4.11.2/auth_openidc.conf 
new/mod_auth_openidc-2.4.11.3/auth_openidc.conf
--- old/mod_auth_openidc-2.4.11.2/auth_openidc.conf     2022-05-03 
22:21:07.000000000 +0200
+++ new/mod_auth_openidc-2.4.11.3/auth_openidc.conf     2022-08-22 
12:50:22.000000000 +0200
@@ -944,9 +944,9 @@
 # other redirects such as the "return_to" value on refresh token requests, the 
"login_uri" value
 # on session management based logins through the OP iframe, and the 
"target_link_uri" parameter in
 # 3rd-party initiated logins, e.g.:
-#   OIDCRedirectURLsAllowed ^https://www.example.com 
^https://(\w+).example.org ^https://example.net/app
+#   OIDCRedirectURLsAllowed ^https://www\.example\.com 
^https://(\w+)\.example\.org ^https://example\.net/app
 # or:
-#   OIDCRedirectURLsAllowed ^https://www.example.com/logout$ 
^https://www.example.com/app/return_to$ 
+#   OIDCRedirectURLsAllowed ^https://www\.example\.com/logout$ 
^https://www\.example\.com/app/return_to$
 # When not defined, the default is to match the hostname in the URL redirected 
to against
 # the hostname in the current request.
 #OIDCRedirectURLsAllowed [<regexp>]+
@@ -960,10 +960,11 @@
 # When not defined the default is "DENY".
 #OIDCLogoutXFrameOptions <value>
 
-# Define the X-Forwarded-* headers that will be taken into account as set by a 
reverse proxy
+# Define the X-Forwarded-* or Forwarded headers that will be taken into 
account as set by a reverse proxy
 # in front of mod_auth_openidc. Must be one or more of:
 #  X-Forwarded-Host
 #  X-Forwarded-Port
 #  X-Forwarded-Proto
+#  Forwarded
 # When not defined, such headers will be ignored.
 #OIDCXForwardedHeaders <header>+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mod_auth_openidc-2.4.11.2/configure 
new/mod_auth_openidc-2.4.11.3/configure
--- old/mod_auth_openidc-2.4.11.2/configure     2022-05-05 09:43:13.000000000 
+0200
+++ new/mod_auth_openidc-2.4.11.3/configure     2022-08-23 12:58:11.000000000 
+0200
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for mod_auth_openidc 2.4.11.2.
+# Generated by GNU Autoconf 2.71 for mod_auth_openidc 2.4.11.3.
 #
 # Report bugs to <hans.zandb...@zmartzone.eu>.
 #
@@ -621,8 +621,8 @@
 # Identity of this package.
 PACKAGE_NAME='mod_auth_openidc'
 PACKAGE_TARNAME='mod_auth_openidc'
-PACKAGE_VERSION='2.4.11.2'
-PACKAGE_STRING='mod_auth_openidc 2.4.11.2'
+PACKAGE_VERSION='2.4.11.3'
+PACKAGE_STRING='mod_auth_openidc 2.4.11.3'
 PACKAGE_BUGREPORT='hans.zandb...@zmartzone.eu'
 PACKAGE_URL=''
 
@@ -1406,7 +1406,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures mod_auth_openidc 2.4.11.2 to adapt to many kinds of 
systems.
+\`configure' configures mod_auth_openidc 2.4.11.3 to adapt to many kinds of 
systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1478,7 +1478,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of mod_auth_openidc 2.4.11.2:";;
+     short | recursive ) echo "Configuration of mod_auth_openidc 2.4.11.3:";;
    esac
   cat <<\_ACEOF
 
@@ -1620,7 +1620,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-mod_auth_openidc configure 2.4.11.2
+mod_auth_openidc configure 2.4.11.3
 generated by GNU Autoconf 2.71
 
 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -1838,7 +1838,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by mod_auth_openidc $as_me 2.4.11.2, which was
+It was created by mod_auth_openidc $as_me 2.4.11.3, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -2594,7 +2594,7 @@
 
 
 
-NAMEVER=mod_auth_openidc-2.4.11.2
+NAMEVER=mod_auth_openidc-2.4.11.3
 
 
 am__api_version='1.16'
@@ -3111,7 +3111,7 @@
 
 # Define the identity of the package.
  PACKAGE='mod_auth_openidc'
- VERSION='2.4.11.2'
+ VERSION='2.4.11.3'
 
 
 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -14594,7 +14594,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by mod_auth_openidc $as_me 2.4.11.2, which was
+This file was extended by mod_auth_openidc $as_me 2.4.11.3, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -14662,7 +14662,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-mod_auth_openidc config.status 2.4.11.2
+mod_auth_openidc config.status 2.4.11.3
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mod_auth_openidc-2.4.11.2/configure.ac 
new/mod_auth_openidc-2.4.11.3/configure.ac
--- old/mod_auth_openidc-2.4.11.2/configure.ac  2022-05-05 09:43:01.000000000 
+0200
+++ new/mod_auth_openidc-2.4.11.3/configure.ac  2022-08-23 12:56:44.000000000 
+0200
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.11.2],[hans.zandb...@zmartzone.eu])
+AC_INIT([mod_auth_openidc],[2.4.11.3],[hans.zandb...@zmartzone.eu])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mod_auth_openidc-2.4.11.2/src/authz.c 
new/mod_auth_openidc-2.4.11.3/src/authz.c
--- old/mod_auth_openidc-2.4.11.2/src/authz.c   2022-03-21 19:31:03.000000000 
+0100
+++ new/mod_auth_openidc-2.4.11.3/src/authz.c   2022-08-22 12:50:22.000000000 
+0200
@@ -165,6 +165,7 @@
                                        rc = TRUE;
                                        goto end;
                                } else if (error_str) {
+                                       oidc_pcre_free_match(preg);
                                        oidc_debug(r, "pcre error (array): %s", 
error_str);
                                }
                        }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mod_auth_openidc-2.4.11.2/src/config.c 
new/mod_auth_openidc-2.4.11.3/src/config.c
--- old/mod_auth_openidc-2.4.11.2/src/config.c  2022-05-04 09:41:48.000000000 
+0200
+++ new/mod_auth_openidc-2.4.11.3/src/config.c  2022-08-22 12:50:22.000000000 
+0200
@@ -1294,6 +1294,7 @@
        oidc_check_x_forwarded_hdr(r, x_forwarded_headers, 
OIDC_HDR_X_FORWARDED_HOST, OIDC_HTTP_HDR_X_FORWARDED_HOST, 
oidc_util_hdr_in_x_forwarded_host_get);
        oidc_check_x_forwarded_hdr(r, x_forwarded_headers, 
OIDC_HDR_X_FORWARDED_PORT, OIDC_HTTP_HDR_X_FORWARDED_PORT, 
oidc_util_hdr_in_x_forwarded_port_get);
        oidc_check_x_forwarded_hdr(r, x_forwarded_headers, 
OIDC_HDR_X_FORWARDED_PROTO, OIDC_HTTP_HDR_X_FORWARDED_PROTO, 
oidc_util_hdr_in_x_forwarded_proto_get);
+       oidc_check_x_forwarded_hdr(r, x_forwarded_headers, OIDC_HDR_FORWARDED, 
OIDC_HTTP_HDR_FORWARDED, oidc_util_hdr_in_forwarded_get);
 }
 
 static const char* oidc_set_redirect_urls_allowed(cmd_parms *cmd, void *m,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mod_auth_openidc-2.4.11.2/src/jose.c 
new/mod_auth_openidc-2.4.11.3/src/jose.c
--- old/mod_auth_openidc-2.4.11.2/src/jose.c    2022-03-23 18:12:08.000000000 
+0100
+++ new/mod_auth_openidc-2.4.11.3/src/jose.c    2022-08-22 12:50:22.000000000 
+0200
@@ -835,6 +835,8 @@
        size_t plaintext_len = 0;
        if (cjose_jws_get_plaintext(jwt->cjose_jws, &plaintext, &plaintext_len,
                        &cjose_err) == FALSE) {
+               oidc_jwt_destroy(jwt);
+               *j_jwt = NULL;
                oidc_jose_error(err, "cjose_jws_get_plaintext failed: %s",
                                oidc_cjose_e2s(pool, cjose_err));
                return FALSE;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mod_auth_openidc-2.4.11.2/src/mod_auth_openidc.c 
new/mod_auth_openidc-2.4.11.3/src/mod_auth_openidc.c
--- old/mod_auth_openidc-2.4.11.2/src/mod_auth_openidc.c        2022-04-22 
19:15:28.000000000 +0200
+++ new/mod_auth_openidc-2.4.11.3/src/mod_auth_openidc.c        2022-08-22 
12:50:22.000000000 +0200
@@ -1776,13 +1776,18 @@
        char *sid = NULL;
        oidc_debug(r, "provider->backchannel_logout_supported=%d",
                        provider->backchannel_logout_supported);
-       if (provider->backchannel_logout_supported > 0) {
-               oidc_jose_get_string(r->pool, id_token_jwt->payload.value.json,
-                               OIDC_CLAIM_SID, FALSE, &sid, NULL);
-               if (sid == NULL)
-                       sid = id_token_jwt->payload.sub;
-               session->sid = oidc_make_sid_iss_unique(r, sid, 
provider->issuer);
-       }
+       /*
+        * Storing the sid in the session makes sense even if no backchannel 
logout
+        * is supported as the front channel logout as specified in
+        * "OpenID Connect Front-Channel Logout 1.0 - draft 05" at
+        * https://openid.net/specs/openid-connect-frontchannel-1_0.html
+        * might deliver a sid during front channel logout.
+        */
+       oidc_jose_get_string(r->pool, id_token_jwt->payload.value.json,
+                       OIDC_CLAIM_SID, FALSE, &sid, NULL);
+       if (sid == NULL)
+               sid = id_token_jwt->payload.sub;
+       session->sid = oidc_make_sid_iss_unique(r, sid, provider->issuer);
 
        /* store the session */
        return oidc_session_save(r, session, TRUE);
@@ -2450,6 +2455,7 @@
        apr_hash_index_t *hi = NULL;
        size_t i = 0;
        char *url = apr_pstrndup(r->pool, redirect_to_url, OIDC_MAX_URL_LENGTH);
+       char *url_ipv6_aware = NULL;
 
        // replace potentially harmful backslashes with forward slashes
        for (i = 0; i < strlen(url); i++)
@@ -2482,8 +2488,15 @@
                }
        } else if ((uri.hostname != NULL) && (restrict_to_host == TRUE)) {
                c_host = oidc_get_current_url_host(r, c->x_forwarded_headers);
-               if ((strstr(c_host, uri.hostname) == NULL)
-                               || (strstr(uri.hostname, c_host) == NULL)) {
+
+               if (strchr(uri.hostname, ':')) { /* v6 literal */
+                       url_ipv6_aware = apr_pstrcat(r->pool, "[", 
uri.hostname, "]", NULL);
+               } else {
+                       url_ipv6_aware = uri.hostname;
+               }
+
+               if ((strstr(c_host, url_ipv6_aware) == NULL)
+                       || (strstr(url_ipv6_aware, c_host) == NULL)) {
                        *err_str = apr_pstrdup(r->pool, "Invalid Request");
                        *err_desc =
                                        apr_psprintf(r->pool,
@@ -2787,17 +2800,62 @@
        oidc_debug(r, "leave");
 }
 
+static apr_byte_t oidc_cleanup_by_sid(request_rec *r, char *sid, oidc_cfg *cfg,
+                                                                         
oidc_provider_t *provider) {
+
+       char *uuid = NULL;
+       oidc_session_t session;
+
+       oidc_debug(r, "enter (sid=%s,iss=%s)", sid, provider->issuer);
+
+       // TODO: when dealing with sub instead of a true sid, we'll be killing 
all sessions for
+       //         a specific user, across hosts that share the *same* cache 
backend
+       //         if those hosts haven't been configured with a different 
OIDCCryptoPassphrase
+       //         - perhaps that's even acceptable since non-memory caching is 
encrypted by default
+       //           and memory-based caching doesn't suffer from this 
(different shm segments)?
+       //         - it will result in 400 errors returned from backchannel 
logout calls to the other hosts...
+
+       sid = oidc_make_sid_iss_unique(r, sid, provider->issuer);
+       oidc_cache_get_sid(r, sid, &uuid);
+       if (uuid == NULL) {
+               // this may happen when we are the caller
+               oidc_warn(r,
+                               "could not (or no longer) find a session based 
on sid/sub provided in logout token / parameter: %s",
+                               sid);
+               r->user = "";
+               return TRUE;
+       }
+
+       // revoke tokens if we can get a handle on those
+       if (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {
+               if (oidc_session_load_cache_by_uuid(r, cfg, uuid, &session) != 
FALSE)
+                       if (oidc_session_extract(r, &session) != FALSE)
+                               oidc_revoke_tokens(r, cfg, &session);
+       }
+
+       // clear the session cache
+       oidc_cache_set_sid(r, sid, NULL, 0);
+       oidc_cache_set_session(r, uuid, NULL, 0);
+
+       r->user = "";
+       return FALSE;
+}
+
 /*
  * handle a local logout
  */
 static int oidc_handle_logout_request(request_rec *r, oidc_cfg *c,
                oidc_session_t *session, const char *url) {
 
+       int no_session_provided = 1;
+
        oidc_debug(r, "enter (url=%s)", url);
 
        /* if there's no remote_user then there's no (stored) session to kill */
-       if (session->remote_user != NULL)
+       if (session->remote_user != NULL) {
+               no_session_provided = 0;
                oidc_revoke_tokens(r, c, session);
+       }
 
        /*
         * remove session state (cq. cache entry and cookie)
@@ -2809,6 +2867,42 @@
        /* see if this is the OP calling us */
        if (oidc_is_front_channel_logout(url)) {
 
+               /*
+                * If no session was provided look for the sid and iss 
parameters in
+                * the request as specified in
+                * "OpenID Connect Front-Channel Logout 1.0 - draft 05" at
+                * https://openid.net/specs/openid-connect-frontchannel-1_0.html
+                * and try to clear the session based on sid / iss like in the
+                * backchannel logout case.
+                */
+               if (no_session_provided) {
+                       char *sid, *iss;
+                       oidc_provider_t *provider = NULL;
+
+                       if (oidc_util_get_request_parameter(r, 
OIDC_REDIRECT_URI_REQUEST_SID,
+                                                                               
                &sid) != FALSE) {
+
+                               if (oidc_util_get_request_parameter(r, 
OIDC_REDIRECT_URI_REQUEST_ISS,
+                                                                               
                        &iss) != FALSE) {
+                                       provider = 
oidc_get_provider_for_issuer(r, c, iss, FALSE);
+                               } else {
+                                       /*
+                                        * Azure AD seems to such a non spec 
compliant provider.
+                                        * In this case try our luck with the 
static config if
+                                        * possible.
+                                        */
+                                       oidc_debug(r, "OP did not provide an 
iss as parameter");
+                                       if (oidc_provider_static_config(r, c, 
&provider) == FALSE)
+                                               provider = NULL;
+                               }
+                               if (provider) {
+                                       oidc_cleanup_by_sid(r, sid, c, 
provider);
+                               } else {
+                                       oidc_info(r, "No provider for front 
channel logout found");
+                               }
+                       }
+               }
+
                /* set recommended cache control headers */
                oidc_util_hdr_err_out_add(r, OIDC_HTTP_HDR_CACHE_CONTROL,
                                "no-cache, no-store");
@@ -2861,8 +2955,7 @@
        oidc_jose_error_t err;
        oidc_jwk_t *jwk = NULL;
        oidc_provider_t *provider = NULL;
-       char *sid = NULL, *uuid = NULL;
-       oidc_session_t session;
+       char *sid = NULL;
        int rc = HTTP_BAD_REQUEST;
 
        apr_table_t *params = apr_table_make(r->pool, 8);
@@ -2997,37 +3090,8 @@
                goto out;
        }
 
-       // TODO: when dealing with sub instead of a true sid, we'll be killing 
all sessions for
-       //       a specific user, across hosts that share the *same* cache 
backend
-       //       if those hosts haven't been configured with a different 
OIDCCryptoPassphrase
-       //       - perhaps that's even acceptable since non-memory caching is 
encrypted by default
-       //         and memory-based caching doesn't suffer from this (different 
shm segments)?
-       //       - it will result in 400 errors returned from backchannel 
logout calls to the other hosts...
-
-       sid = oidc_make_sid_iss_unique(r, sid, provider->issuer);
-       oidc_cache_get_sid(r, sid, &uuid);
-       if (uuid == NULL) {
-               // this may happen when we are the caller
-               oidc_warn(r,
-                               "could not (or no longer) find a session based 
on sid/sub provided in logout token: %s",
-                               sid);
-               r->user = "";
-               rc = OK;
-               goto out;
-       }
-
-       // revoke tokens if we can get a handle on those
-       if (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {
-               if (oidc_session_load_cache_by_uuid(r, cfg, uuid, &session) != 
FALSE)
-                       if (oidc_session_extract(r, &session) != FALSE)
-                               oidc_revoke_tokens(r, cfg, &session);
-       }
-
-       // clear the session cache
-       oidc_cache_set_sid(r, sid, NULL, 0);
-       oidc_cache_set_session(r, uuid, NULL, 0);
+       oidc_cleanup_by_sid(r, sid, cfg, provider);
 
-       r->user = "";
        rc = OK;
 
 out:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mod_auth_openidc-2.4.11.2/src/mod_auth_openidc.h 
new/mod_auth_openidc-2.4.11.3/src/mod_auth_openidc.h
--- old/mod_auth_openidc-2.4.11.2/src/mod_auth_openidc.h        2022-05-04 
13:09:46.000000000 +0200
+++ new/mod_auth_openidc-2.4.11.3/src/mod_auth_openidc.h        2022-08-22 
12:50:22.000000000 +0200
@@ -253,6 +253,7 @@
 #define OIDC_HDR_X_FORWARDED_HOST   1
 #define OIDC_HDR_X_FORWARDED_PORT   2
 #define OIDC_HDR_X_FORWARDED_PROTO  4
+#define OIDC_HDR_FORWARDED          8
 
 typedef apr_byte_t (*oidc_proto_pkce_state)(request_rec *r, char **state);
 typedef apr_byte_t (*oidc_proto_pkce_challenge)(request_rec *r, const char 
*state, char **code_challenge);
@@ -481,6 +482,8 @@
 #define OIDC_REDIRECT_URI_REQUEST_REMOVE_AT_CACHE  "remove_at_cache"
 #define OIDC_REDIRECT_URI_REQUEST_REVOKE_SESSION   "revoke_session"
 #define OIDC_REDIRECT_URI_REQUEST_REQUEST_URI      "request_uri"
+#define OIDC_REDIRECT_URI_REQUEST_SID              "sid"
+#define OIDC_REDIRECT_URI_REQUEST_ISS              "iss"
 
 // oidc_oauth
 int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c, const char 
*access_token);
@@ -843,6 +846,7 @@
 #define OIDC_HTTP_HDR_X_FORWARDED_PROTO                 "X-Forwarded-Proto"
 #define OIDC_HTTP_HDR_X_FORWARDED_PORT                  "X-Forwarded-Port"
 #define OIDC_HTTP_HDR_X_FORWARDED_HOST                  "X-Forwarded-Host"
+#define OIDC_HTTP_HDR_FORWARDED                         "Forwarded"
 #define OIDC_HTTP_HDR_HOST                              "Host"
 #define OIDC_HTTP_HDR_LOCATION                          "Location"
 #define OIDC_HTTP_HDR_CACHE_CONTROL                     "Cache-Control"
@@ -872,6 +876,7 @@
 const char *oidc_util_hdr_in_x_forwarded_proto_get(const request_rec *r);
 const char *oidc_util_hdr_in_x_forwarded_port_get(const request_rec *r);
 const char *oidc_util_hdr_in_x_forwarded_host_get(const request_rec *r);
+const char* oidc_util_hdr_in_forwarded_get(const request_rec *r);
 const char *oidc_util_hdr_in_host_get(const request_rec *r);
 void oidc_util_hdr_out_location_set(const request_rec *r, const char *value);
 const char *oidc_util_hdr_out_location_get(const request_rec *r);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mod_auth_openidc-2.4.11.2/src/parse.c 
new/mod_auth_openidc-2.4.11.3/src/parse.c
--- old/mod_auth_openidc-2.4.11.2/src/parse.c   2022-03-29 20:39:43.000000000 
+0200
+++ new/mod_auth_openidc-2.4.11.3/src/parse.c   2022-08-22 12:50:22.000000000 
+0200
@@ -1362,6 +1362,7 @@
                        OIDC_HTTP_HDR_X_FORWARDED_HOST,
                        OIDC_HTTP_HDR_X_FORWARDED_PORT,
                        OIDC_HTTP_HDR_X_FORWARDED_PROTO,
+                       OIDC_HTTP_HDR_FORWARDED,
                        NULL };
        const char *rv = oidc_valid_string_option(pool, arg, options);
        if (rv != NULL)
@@ -1373,6 +1374,8 @@
                *x_forwarded_headers |= OIDC_HDR_X_FORWARDED_PORT;
        } else if (apr_strnatcmp(arg, OIDC_HTTP_HDR_X_FORWARDED_PROTO) == 0) {
                *x_forwarded_headers |= OIDC_HDR_X_FORWARDED_PROTO;
+       } else if (apr_strnatcmp(arg, OIDC_HTTP_HDR_FORWARDED) == 0) {
+               *x_forwarded_headers |= OIDC_HDR_FORWARDED;
        }
 
        return NULL;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mod_auth_openidc-2.4.11.2/src/pcre_subst.c 
new/mod_auth_openidc-2.4.11.3/src/pcre_subst.c
--- old/mod_auth_openidc-2.4.11.2/src/pcre_subst.c      2022-03-21 
19:31:03.000000000 +0100
+++ new/mod_auth_openidc-2.4.11.3/src/pcre_subst.c      2022-08-22 
12:50:22.000000000 +0200
@@ -236,6 +236,15 @@
 #endif
 }
 
+void oidc_pcre_free_match(struct oidc_pcre *pcre) {
+#ifdef HAVE_LIBPCRE2
+       if (pcre->match_data) {
+               pcre2_match_data_free(pcre->match_data);
+               pcre->match_data = NULL;
+       }
+#endif
+}
+
 int oidc_pcre_get_substring(apr_pool_t *pool, const struct oidc_pcre *pcre, 
const char *input,
                int rc, char **sub_str, char **error_str) {
        int rv = 0;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mod_auth_openidc-2.4.11.2/src/pcre_subst.h 
new/mod_auth_openidc-2.4.11.3/src/pcre_subst.h
--- old/mod_auth_openidc-2.4.11.2/src/pcre_subst.h      2022-03-21 
19:31:03.000000000 +0100
+++ new/mod_auth_openidc-2.4.11.3/src/pcre_subst.h      2022-08-22 
12:50:22.000000000 +0200
@@ -47,6 +47,7 @@
 char* oidc_pcre_subst(apr_pool_t *pool, const struct oidc_pcre*, const char*, 
int, const char*);
 int oidc_pcre_exec(apr_pool_t*, struct oidc_pcre*, const char*, int, char**);
 void oidc_pcre_free(struct oidc_pcre*);
+void oidc_pcre_free_match(struct oidc_pcre*);
 int oidc_pcre_get_substring(apr_pool_t *pool, const struct oidc_pcre*, const 
char *input, int rc,
                char **sub_str, char **error_str);
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mod_auth_openidc-2.4.11.2/src/util.c 
new/mod_auth_openidc-2.4.11.3/src/util.c
--- old/mod_auth_openidc-2.4.11.2/src/util.c    2022-03-29 20:39:33.000000000 
+0200
+++ new/mod_auth_openidc-2.4.11.3/src/util.c    2022-08-22 12:50:22.000000000 
+0200
@@ -434,6 +434,23 @@
     return output;
 }
 
+static const char* oidc_util_hdr_forwarded_get(const request_rec *r, const 
char *elem) {
+       const char *value = NULL;
+       char *ptr = NULL;
+       const char *item = apr_psprintf(r->pool, "%s=", elem);
+       value = oidc_util_hdr_in_forwarded_get(r);
+       value = strcasestr(value, item);
+       if (value) {
+               value += strlen(item);
+               ptr = strstr(value, ";");
+               if (ptr)
+                       *ptr = '\0';
+               ptr = strstr(value, " ");
+               if (ptr)
+                       *ptr = '\0';
+       }
+       return apr_pstrdup(r->pool, value);
+}
 
 /*
  * get the URL scheme that is currently being accessed
@@ -443,7 +460,9 @@
        /* first see if there's a proxy/load-balancer in front of us */
        const char *scheme_str = NULL;
 
-       if (x_forwarded_headers & OIDC_HDR_X_FORWARDED_PROTO)
+       if ((x_forwarded_headers & OIDC_HDR_FORWARDED))
+               scheme_str = oidc_util_hdr_forwarded_get(r, "proto");
+       else if (x_forwarded_headers & OIDC_HDR_X_FORWARDED_PROTO)
                scheme_str = oidc_util_hdr_in_x_forwarded_proto_get(r);
 
        /* if not we'll determine the scheme used to connect to this server */
@@ -505,11 +524,13 @@
                return port_str;
 
        /*
-        * see if we can get the port from the "X-Forwarded-Host" header
+        * see if we can get the port from the "X-Forwarded-Host" or 
"Forwarded" header
         * and if that header was set we'll assume defaults
         */
 
-       if (x_forwarded_headers & OIDC_HDR_X_FORWARDED_HOST)
+       if (x_forwarded_headers & OIDC_HDR_FORWARDED)
+               host_hdr = oidc_util_hdr_forwarded_get(r, "host");
+       else if (x_forwarded_headers & OIDC_HDR_X_FORWARDED_HOST)
                host_hdr = oidc_util_hdr_in_x_forwarded_host_get(r);
 
        if (host_hdr) {
@@ -541,6 +562,13 @@
                        return NULL;
 
        /*
+        * do the same for the Forwarded: proto= header
+        */
+       if (x_forwarded_headers & OIDC_HDR_FORWARDED)
+               if (oidc_util_hdr_forwarded_get(r, "proto"))
+                               return NULL;
+
+       /*
         * if no port was set in the Host header and no X-Forwarded-Proto was 
set, we'll
         * determine the port locally and don't print it when it's the default 
for the protocol
         */
@@ -562,7 +590,9 @@
        char *p = NULL;
        char *i = NULL;
 
-       if (x_forwarded_headers & OIDC_HDR_X_FORWARDED_HOST)
+       if (x_forwarded_headers & OIDC_HDR_FORWARDED)
+               host_str = oidc_util_hdr_forwarded_get(r, "host");
+       else if (x_forwarded_headers & OIDC_HDR_X_FORWARDED_HOST)
                host_str = oidc_util_hdr_in_x_forwarded_host_get(r);
 
        if (host_str == NULL)
@@ -2629,6 +2659,11 @@
                        OIDC_HTTP_HDR_X_FORWARDED_HOST, OIDC_STR_COMMA 
OIDC_STR_SPACE);
 }
 
+const char* oidc_util_hdr_in_forwarded_get(const request_rec *r) {
+       return oidc_util_hdr_in_get_left_most_only(r,
+                       OIDC_HTTP_HDR_FORWARDED, OIDC_STR_COMMA);
+}
+
 const char* oidc_util_hdr_in_host_get(const request_rec *r) {
        return oidc_util_hdr_in_get(r, OIDC_HTTP_HDR_HOST);
 }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mod_auth_openidc-2.4.11.2/test/test.c 
new/mod_auth_openidc-2.4.11.3/test/test.c
--- old/mod_auth_openidc-2.4.11.2/test/test.c   2022-03-29 20:39:33.000000000 
+0200
+++ new/mod_auth_openidc-2.4.11.3/test/test.c   2022-08-22 12:50:22.000000000 
+0200
@@ -1313,6 +1313,36 @@
        TST_ASSERT_STR("test_current_url (10)", url,
                        
"http://[fd04:41b1:1170:28:16b0:446b:9fb7:7118]/private/?foo=bar&param1=value1";);
 
+       apr_table_unset(r->headers_in, "X-Forwarded-Proto");
+       apr_table_unset(r->headers_in, "Host");
+
+       apr_table_set(r->headers_in, "Forwarded", "host=www.outer.com");
+       url = oidc_get_current_url(r, OIDC_HDR_FORWARDED);
+       TST_ASSERT_STR("test_current_url (11)", url,
+                       "https://www.outer.com/private/?foo=bar&param1=value1";);
+
+       apr_table_set(r->headers_in, "Forwarded", "proto=http");
+       url = oidc_get_current_url(r, OIDC_HDR_FORWARDED);
+       TST_ASSERT_STR("test_current_url (12)", url,
+                       
"http://www.example.com/private/?foo=bar&param1=value1";);
+
+       apr_table_set(r->headers_in, "Forwarded", "host=www.outer.com:8443");
+       url = oidc_get_current_url(r, OIDC_HDR_FORWARDED);
+       TST_ASSERT_STR("test_current_url (13)", url,
+                       
"https://www.outer.com:8443/private/?foo=bar&param1=value1";);
+
+       apr_table_set(r->headers_in, "Forwarded", "proto=http; 
host=www.outer.com:8080");
+       url = oidc_get_current_url(r, OIDC_HDR_FORWARDED);
+       TST_ASSERT_STR("test_current_url (14)", url,
+                       
"http://www.outer.com:8080/private/?foo=bar&param1=value1";);
+
+       apr_table_set(r->headers_in, "Forwarded", "host=www.outer.com:8080; 
proto=http");
+       url = oidc_get_current_url(r, OIDC_HDR_FORWARDED);
+       TST_ASSERT_STR("test_current_url (15)", url,
+                       
"http://www.outer.com:8080/private/?foo=bar&param1=value1";);
+
+       apr_table_unset(r->headers_in, "Forwarded");
+
        apr_table_set(r->headers_in, "Host", "www.example.com");
 
        return 0;

Reply via email to