From eaa140a33c1947e9ea079a68b7f6f56baeec08cc Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Tue, 4 Dec 2007 05:07:49 +0000
Subject: [PATCH] Detect subrequests and internal redirects.

---
 nsapi_shib/nsapi_shib.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nsapi_shib/nsapi_shib.cpp b/nsapi_shib/nsapi_shib.cpp
index 29b80ab..962499f 100644
--- a/nsapi_shib/nsapi_shib.cpp
+++ b/nsapi_shib/nsapi_shib.cpp
@@ -214,7 +214,7 @@ public:
     qstr = pblock_findval("auth-type", rq->vars);
     if (qstr && !strcmp(qstr, "shibboleth"))
         m_firsttime = false;
-    if (!m_firsttime)
+    if (!m_firsttime || rq->orig_rq)
         log(SPDebug, "nsapi_shib function running more than once");
   }
   ~ShibTargetNSAPI() { }
@@ -287,7 +287,7 @@ public:
     }
   }
   void clearHeader(const char* rawname, const char* cginame) {
-    if (m_firsttime && g_checkSpoofing) {
+    if (g_checkSpoofing && m_firsttime && !m_rq->orig_rq) {
         if (m_allhttp.empty()) {
             // Populate the set of client-supplied headers for spoof checking.
             const pb_entry* entry;
-- 
2.1.4