avoid appending 401 HTML document text on step-up authentication

- applies to Apache 2.4 HTML refresh with an authorization request - closes #484 - bump to 2.4.5rc0 Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Sep 22, 2020 · f5959d7 · f5959d7
1 parent 198eea3
commit f5959d7
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+09/22/2020
+- avoid Apache 2.4 appending 401 HTML document text to step-up authentication HTML refresh page; closes #484
+- bump to 2.4.5rc0
+
 09/21/2020
 - populate AUTH_TYPE when performing authentication; thanks @spanglerco
 

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.4.1],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.5rc0],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -4097,6 +4097,11 @@ static authz_status oidc_handle_unauthorized_user24(request_rec *r) {
 				location);
 		oidc_util_html_send(r, "Stepup Authentication", html_head, NULL, NULL,
 				HTTP_UNAUTHORIZED);
+		/*
+		 * a hack for Apache 2.4 to prevent it from writing its own 401 HTML document
+		 * text by making ap_send_error_response in http_protocol.c return early...
+		 */
+		r->header_only = 1;
 	}
 
 	return AUTHZ_DENIED;