From 7f06c9039273c4dd86d8fe7222a0520a97607cab Mon Sep 17 00:00:00 2001 From: Moritz Muehlenhoff Date: Fri, 18 Mar 2022 14:59:30 +0100 Subject: [PATCH 1/4] Replace bespoke cookie parsing with ap_cookie_read() --- src/mod_auth_cas.c | 23 +++-------------------- 1 file changed, 3 insertions(+), 20 deletions(-) diff --git a/src/mod_auth_cas.c b/src/mod_auth_cas.c index 1791110..7822481 100644 --- a/src/mod_auth_cas.c +++ b/src/mod_auth_cas.c @@ -53,6 +53,7 @@ #include "apr_thread_mutex.h" #include "apr_strings.h" #include "apr_xml.h" +#include "util_cookies.h" #include "cas_saml_attr.h" @@ -780,26 +781,8 @@ char *getCASTicket(request_rec *r) char *getCASCookie(request_rec *r, char *cookieName) { - char *cookie, *tokenizerCtx, *rv = NULL; - char *cookies = apr_pstrdup(r->pool, (char *) apr_table_get(r->headers_in, "Cookie")); - - if(cookies != NULL) { - /* tokenize on ; to find the cookie we want */ - cookie = apr_strtok(cookies, ";", &tokenizerCtx); - while (cookie != NULL) { - while (*cookie == ' ') { - cookie++; - } - if (strncmp(cookie, cookieName, strlen(cookieName)) == 0) { - /* skip to the meat of the parameter (the value after the '=') */ - cookie += (strlen(cookieName)+1); - rv = apr_pstrdup(r->pool, cookie); - break; - } - cookie = apr_strtok(NULL, ";", &tokenizerCtx); - } - } - + char *rv = NULL; + ap_cookie_read(r, cookieName, &rv, 0); return rv; } From 2baef13c269066873e7cf50c6fe49f29ee56e545 Mon Sep 17 00:00:00 2001 From: Moritz Muehlenhoff Date: Tue, 22 Mar 2022 11:29:28 +0100 Subject: [PATCH 2/4] Fix escaping for small chars in urlEncode() The %%%x format string resolves to the literal "%" and the hex representation of the character to be encoded, but is always asssumed to return three characters. However for a small value like e.g. 7 it would return "%7" instead. None of the current two call sites of the function use such a small value, but apply correct padding just in case the function might be used elsewhere in the future. --- src/mod_auth_cas.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mod_auth_cas.c b/src/mod_auth_cas.c index 7822481..d48bb6b 100644 --- a/src/mod_auth_cas.c +++ b/src/mod_auth_cas.c @@ -899,7 +899,7 @@ char *urlEncode(const request_rec *r, const char *str, escaped = FALSE; for(i = 0; i < limit; i++) { if(*q == charsToEncode[i]) { - sprintf(p, "%%%x", charsToEncode[i]); + sprintf(p, "%%%02x", charsToEncode[i]); p+= 3; escaped = TRUE; break; From 3877c66bb76c8f0b317574fdfeaf6187d1844f80 Mon Sep 17 00:00:00 2001 From: mmuehlenhoff Date: Fri, 25 Mar 2022 09:28:37 +0100 Subject: [PATCH 3/4] Update src/mod_auth_cas.c Co-authored-by: David Hawes --- src/mod_auth_cas.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/mod_auth_cas.c b/src/mod_auth_cas.c index d48bb6b..c91a55f 100644 --- a/src/mod_auth_cas.c +++ b/src/mod_auth_cas.c @@ -781,9 +781,9 @@ char *getCASTicket(request_rec *r) char *getCASCookie(request_rec *r, char *cookieName) { - char *rv = NULL; + const char *rv = NULL; ap_cookie_read(r, cookieName, &rv, 0); - return rv; + return(apr_pstrdup(r->pool, rv)); } void setCASCookie(request_rec *r, char *cookieName, char *cookieValue, apr_byte_t secure, apr_time_t expireTime, char *cookieDomain, char *cookieSameSite) From 568f864c0b0dd9cff687462e4920f19e17a938c5 Mon Sep 17 00:00:00 2001 From: Moritz Muehlenhoff Date: Fri, 25 Mar 2022 09:53:38 +0100 Subject: [PATCH 4/4] Update docs to require Apache 2.4 The upstream support for Apache 2.2.x ended on 2018-01-01 and also none of the long term Linux distros still support it, looking at the latest still supported releases: * Debian 8 ELTS has Apache httpd 2.4.10 * Ubuntu 14.4 has Apache httpd 2.4.5 * RHEL 7 has Apache httpd 2.4.6 * SLES 11 has Apache httpd 2.4.23 --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index 86b8072..1eb755c 100644 --- a/README +++ b/README @@ -47,7 +47,7 @@ The following development libraries and utilities must be installed: * OpenSSL - 0.9.8c or higher * Apache Portable Runtime - 1.5.0 or higher * Apache Portable Runtime Utilities - 1.3.0 or higher -* Apache Web Server - 2.2.3 or higher +* Apache Web Server - 2.4 or higher * libcurl - 7.18.2 or higher * libpcre - 7.8 or higher