Replace bespoke cookie parsing with ap_cookie_read() (#202)

* Replace bespoke cookie parsing with ap_cookie_read() * Fix escaping for small chars in urlEncode() The %%%x format string resolves to the literal "%" and the hex representation of the character to be encoded, but is always asssumed to return three characters. However for a small value like e.g. 7 it would return "%7" instead. None of the current two call sites of the function use such a small value, but apply correct padding just in case the function might be used elsewhere in the future. * Update src/mod_auth_cas.c Co-authored-by: David Hawes <dhawes@gmail.com> * Update docs to require Apache 2.4 The upstream support for Apache 2.2.x ended on 2018-01-01 and also none of the long term Linux distros still support it, looking at the latest still supported releases: * Debian 8 ELTS has Apache httpd 2.4.10 * Ubuntu 14.4 has Apache httpd 2.4.5 * RHEL 7 has Apache httpd 2.4.6 * SLES 11 has Apache httpd 2.4.23 Co-authored-by: Moritz Muehlenhoff <jmm@debian.org> Co-authored-by: Moritz Muehlenhoff <moritz@wikimedia.org> Co-authored-by: David Hawes <dhawes@gmail.com>
apereo · Mar 25, 2022 · c642248 · c642248
1 parent de41363
commit c642248
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 23 deletions.
diff --git a/README b/README
@@ -47,7 +47,7 @@ The following development libraries and utilities must be installed:
 * OpenSSL - 0.9.8c or higher
 * Apache Portable Runtime - 1.5.0 or higher
 * Apache Portable Runtime Utilities - 1.3.0 or higher
-* Apache Web Server - 2.2.3 or higher
+* Apache Web Server - 2.4 or higher
 * libcurl - 7.18.2 or higher
 * libpcre - 7.8 or higher
 

diff --git a/src/mod_auth_cas.c b/src/mod_auth_cas.c
@@ -53,6 +53,7 @@
 #include "apr_thread_mutex.h"
 #include "apr_strings.h"
 #include "apr_xml.h"
+#include "util_cookies.h"
 
 #include "cas_saml_attr.h"
 
@@ -780,27 +781,9 @@ char *getCASTicket(request_rec *r)
 
 char *getCASCookie(request_rec *r, char *cookieName)
 {
-	char *cookie, *tokenizerCtx, *rv = NULL;
-	char *cookies = apr_pstrdup(r->pool, (char *) apr_table_get(r->headers_in, "Cookie"));
-
-	if(cookies != NULL) {
-		/* tokenize on ; to find the cookie we want */
-		cookie = apr_strtok(cookies, ";", &tokenizerCtx);
-		while (cookie != NULL) {
-			while (*cookie == ' ') {
-				cookie++;
-			}
-			if (strncmp(cookie, cookieName, strlen(cookieName)) == 0) {
-			  /* skip to the meat of the parameter (the value after the '=') */
-				cookie += (strlen(cookieName)+1);
-				rv = apr_pstrdup(r->pool, cookie);
-				break;
-			}
-			cookie = apr_strtok(NULL, ";", &tokenizerCtx);
-		}
-	}
-
-	return rv;
+	const char *rv = NULL;
+	ap_cookie_read(r, cookieName, &rv, 0);
+	return(apr_pstrdup(r->pool, rv));
 }
 
 void setCASCookie(request_rec *r, char *cookieName, char *cookieValue, apr_byte_t secure, apr_time_t expireTime, char *cookieDomain, char *cookieSameSite)
@@ -916,7 +899,7 @@ char *urlEncode(const request_rec *r, const char *str,
 		escaped = FALSE;
 		for(i = 0; i < limit; i++) {
 			if(*q == charsToEncode[i]) {
-				sprintf(p, "%%%x", charsToEncode[i]);
+				sprintf(p, "%%%02x", charsToEncode[i]);
 				p+= 3;
 				escaped = TRUE;
 				break;