From ec60b933a960b3ae351c962e6c556d7235414723 Mon Sep 17 00:00:00 2001 From: Packit Service Date: Dec 09 2020 22:54:47 +0000 Subject: Apply patch 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch patch_name: 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch present_in_specfile: true --- diff --git a/README.md b/README.md index d33a1a6..7be2690 100644 --- a/README.md +++ b/README.md @@ -180,7 +180,7 @@ MellonDiagnosticsEnable Off # then we will redirect him to the login page of the IdP. # # There is a special handling of AJAX requests, that are - # identified by the "X-Request-With: XMLHttpRequest" HTTP + # identified by the "X-Requested-With: XMLHttpRequest" HTTP # header. Since no user interaction can happen there, # we always fail unauthenticated (not logged in) requests # with a 403 Forbidden error without redirecting to the IdP. diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c index b16dc45..e33e6e9 100644 --- a/auth_mellon_handler.c +++ b/auth_mellon_handler.c @@ -3658,11 +3658,11 @@ int am_auth_mellon_user(request_rec *r) * If this is an AJAX request, we cannot proceed to the IdP, * Just fail early to save our resources */ - ajax_header = apr_table_get(r->headers_in, "X-Request-With"); + ajax_header = apr_table_get(r->headers_in, "X-Requested-With"); if (ajax_header != NULL && strcmp(ajax_header, "XMLHttpRequest") == 0) { AM_LOG_RERROR(APLOG_MARK, APLOG_INFO, 0, r, - "Deny unauthenticated X-Request-With XMLHttpRequest " + "Deny unauthenticated X-Requested-With XMLHttpRequest " "(AJAX) request"); return HTTP_FORBIDDEN; }