fix double HTML inclusion on state timeout HTML error page

see also f5959d7 and #484; at least Debian Buster Apache 2.4 was affected Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Jun 1, 2021 · 2def2c4 · 2def2c4
1 parent 1c1d62c
commit 2def2c4
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,7 +1,11 @@
+06/01/2021
+- avoid Apache 2.4 appending 400/302(200/404) HTML document text to state timeout HTML info page
+  see also f5959d767b0eec4856d561cbaa6d2262a52da551 and #484; at least Debian Buster was affected
+- release 2.4.8.3
+
 05/18/2021
 - make error "session corrupted: no issuer found in session" a warning only so a logout call for a
   non-existing session no longer produces error messages
-- bump to 2.4.9-dev
 
 05/08/2021
 - store timestamps in session in seconds to avoid string conversion problems on some (libapr-1)

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.9-dev],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.8.3],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -699,6 +699,13 @@ static apr_byte_t oidc_restore_proto_state(request_rec *r, oidc_cfg *c,
 						oidc_proto_state_get_original_url(*proto_state)),
 						OK);
 		oidc_proto_state_destroy(*proto_state);
+
+		/*
+		 * a hack for Apache 2.4 to prevent it from writing its own 500/400/302 HTML document
+		 * text by making ap_send_error_response in http_protocol.c return early...
+		 */
+		r->header_only = 1;
+
 		return FALSE;
 	}