[pubcookie-dev] CVS update: fox;
webiso/pubcookie/src flavor_getcred.c,1.35,1.36
index.cgi.c,1.166,1.167 index.cgi.h,1.58,1.59
mod_pubcookie.c,1.192,1.193
fox at washington.edu
fox at washington.edu
Wed Nov 9 15:49:01 PST 2005
Update of /usr/local/cvsroot/webiso/pubcookie/src
In directory webiso-cvs.cac.washington.edu:/var/tmp/cvs-serv14630/webiso/pubcookie/src
Modified Files:
flavor_getcred.c index.cgi.c index.cgi.h mod_pubcookie.c
Log Message:
Iterate through cookie list looking for valid cookies - instead
of accepting only the first.
Cookies included in the iteration: granting, session, login.
Granting request not included as it is not encrypted.
Kerb cookies not included as I cannot test them. Should be
easy for someone to do the same with them, however.
Jim
Index: webiso/pubcookie/src/flavor_getcred.c
diff -c webiso/pubcookie/src/flavor_getcred.c:1.35 webiso/pubcookie/src/flavor_getcred.c:1.36
*** webiso/pubcookie/src/flavor_getcred.c:1.35 Tue Jun 21 11:02:12 2005
--- webiso/pubcookie/src/flavor_getcred.c Wed Nov 9 15:48:59 2005
***************
*** 18,24 ****
/** @file flavor_getcred.c
* Getcred flavor
*
! * $Id: flavor_getcred.c,v 1.35 2005/06/21 18:02:12 willey Exp $
*/
--- 18,24 ----
/** @file flavor_getcred.c
* Getcred flavor
*
! * $Id: flavor_getcred.c,v 1.36 2005/11/09 23:48:59 fox Exp $
*/
***************
*** 291,297 ****
if (get_cookie
(p, PBC_CRED_COOKIENAME, cookie,
! sizeof (cookie) - 1) != PBC_OK) {
pbc_log_activity (p, PBC_LOG_ERROR,
"flavor_getcred: couldn't retrieve cookie %s",
PBC_CRED_COOKIENAME);
--- 291,297 ----
if (get_cookie
(p, PBC_CRED_COOKIENAME, cookie,
! sizeof (cookie) - 1, 0) != PBC_OK) {
pbc_log_activity (p, PBC_LOG_ERROR,
"flavor_getcred: couldn't retrieve cookie %s",
PBC_CRED_COOKIENAME);
Index: webiso/pubcookie/src/index.cgi.c
diff -c webiso/pubcookie/src/index.cgi.c:1.166 webiso/pubcookie/src/index.cgi.c:1.167
*** webiso/pubcookie/src/index.cgi.c:1.166 Fri Oct 7 15:20:24 2005
--- webiso/pubcookie/src/index.cgi.c Wed Nov 9 15:48:59 2005
***************
*** 18,24 ****
/** @file index.cgi.c
* Login server CGI
*
! * $Id: index.cgi.c,v 1.166 2005/10/07 22:20:24 jjminer Exp $
*/
#ifdef WITH_FCGI
--- 18,24 ----
/** @file index.cgi.c
* Login server CGI
*
! * $Id: index.cgi.c,v 1.167 2005/11/09 23:48:59 fox Exp $
*/
#ifdef WITH_FCGI
***************
*** 580,595 ****
}
/*
! * this returns first cookie for a given name
*/
! int get_cookie (pool * p, char *name, char *result, int max)
{
char *s;
char *ptr;
char *target;
char *wkspc;
! pbc_log_activity (p, PBC_LOG_DEBUG_LOW, "get_cookie: hello\n");
if (!(target = malloc (PBC_20K))) {
abend (p, "out of memory");
--- 580,596 ----
}
/*
! * this returns n'th cookie for a given name
*/
! int get_cookie (pool * p, char *name, char *result, int max, int n)
{
char *s;
char *ptr;
char *target;
char *wkspc;
+ int i;
! pbc_log_activity (p, PBC_LOG_DEBUG_LOW, "get_cookie: hello: name=%s, n=%d\n", name, n);
if (!(target = malloc (PBC_20K))) {
abend (p, "out of memory");
***************
*** 606,618 ****
/* make us a local copy */
strlcpy (target, s, PBC_20K - 1);
! if (!(wkspc = strstr (target, name))) {
! free (target);
! return (PBC_FAIL);
}
/* get rid of the <name>= part from the cookie */
! ptr = wkspc = wkspc + strlen (name) + 1;
while (*ptr) {
if (*ptr == ';') {
*ptr = '\0';
--- 607,622 ----
/* make us a local copy */
strlcpy (target, s, PBC_20K - 1);
! for (wkspc=target,i=0;i<=n;i++) {
! if (!(wkspc = strstr (wkspc, name))) {
! free (target);
! return (PBC_FAIL);
! }
! wkspc += strlen (name) + 1;
}
/* get rid of the <name>= part from the cookie */
! ptr = wkspc;
while (*ptr) {
if (*ptr == ';') {
*ptr = '\0';
***************
*** 1111,1117 ****
abend (p, "out of memory");
}
! if (get_cookie (p, PBC_G_REQ_COOKIENAME, cookie, PBC_4K - 1) ==
PBC_FAIL) {
pbc_free (p, cookie);
return (NULL);
--- 1115,1121 ----
abend (p, "out of memory");
}
! if (get_cookie (p, PBC_G_REQ_COOKIENAME, cookie, PBC_4K - 1, 0) ==
PBC_FAIL) {
pbc_free (p, cookie);
return (NULL);
***************
*** 3017,3022 ****
--- 3021,3027 ----
char *cookie = NULL;
login_rec *new = NULL;
time_t t;
+ int cn = 0;
pbc_log_activity (p, PBC_LOG_DEBUG_LOW,
"verify_unload_login_cookie: hello\n");
***************
*** 3025,3051 ****
abend (p, "out of memory");
/* get the login cookie */
! if ((get_cookie (p, PBC_L_COOKIENAME, cookie, PBC_4K - 1) == PBC_FAIL)
! || !strcmp (cookie, PBC_CLEAR_COOKIE)) {
! if (cookie != NULL)
! free (cookie);
! return ((login_rec *) NULL);
! }
!
! new = malloc (sizeof (login_rec));
! init_login_rec (p, new);
!
! cookie_data =
! libpbc_unbundle_cookie (p, context, cookie, NULL, 0,
PBC_DEF_CRYPT);
/* Done with cookie */
! if (cookie != NULL)
! pbc_free (p, cookie);
! if (!cookie_data) {
! return ((login_rec *) NULL);
! }
new->user = strdup ((*cookie_data).broken.user);
new->version = strdup ((*cookie_data).broken.version);
--- 3030,3050 ----
abend (p, "out of memory");
/* get the login cookie */
! while ((get_cookie (p, PBC_L_COOKIENAME, cookie, PBC_4K - 1, cn) != PBC_FAIL)) {
! if (!strcmp (cookie, PBC_CLEAR_COOKIE)) continue;
! cookie_data = libpbc_unbundle_cookie (p, context, cookie, NULL, 0,
PBC_DEF_CRYPT);
+ if (cookie_data) break;
+ cn++;
+ }
/* Done with cookie */
! if (cookie != NULL) free (cookie);
! if (!cookie_data) return ((login_rec *) NULL);
!
! new = malloc (sizeof (login_rec));
! init_login_rec (p, new);
new->user = strdup ((*cookie_data).broken.user);
new->version = strdup ((*cookie_data).broken.version);
Index: webiso/pubcookie/src/index.cgi.h
diff -c webiso/pubcookie/src/index.cgi.h:1.58 webiso/pubcookie/src/index.cgi.h:1.59
*** webiso/pubcookie/src/index.cgi.h:1.58 Mon Aug 1 16:03:26 2005
--- webiso/pubcookie/src/index.cgi.h Wed Nov 9 15:48:59 2005
***************
*** 16,22 ****
*/
/*
! $Id: index.cgi.h,v 1.58 2005/08/01 23:03:26 willey Exp $
*/
#ifndef PUBCOOKIE_LOGIN_CGI
--- 16,22 ----
*/
/*
! $Id: index.cgi.h,v 1.59 2005/11/09 23:48:59 fox Exp $
*/
#ifndef PUBCOOKIE_LOGIN_CGI
***************
*** 129,135 ****
int create_cookie (pool *, const security_context *, char *, char *,
char *, char, char, int, time_t, time_t, char *,
const char *host, int, char);
! int get_cookie (pool * p, char *name, char *result, int max);
login_rec *get_query (pool *);
char *check_login (pool *, login_rec *, login_rec *);
char *check_l_cookie (pool *, const security_context *, login_rec *,
--- 129,135 ----
int create_cookie (pool *, const security_context *, char *, char *,
char *, char, char, int, time_t, time_t, char *,
const char *host, int, char);
! int get_cookie (pool * p, char *name, char *result, int max, int n);
login_rec *get_query (pool *);
char *check_login (pool *, login_rec *, login_rec *);
char *check_l_cookie (pool *, const security_context *, login_rec *,
Index: webiso/pubcookie/src/mod_pubcookie.c
diff -c webiso/pubcookie/src/mod_pubcookie.c:1.192 webiso/pubcookie/src/mod_pubcookie.c:1.193
*** webiso/pubcookie/src/mod_pubcookie.c:1.192 Tue Nov 1 07:28:18 2005
--- webiso/pubcookie/src/mod_pubcookie.c Wed Nov 9 15:48:59 2005
***************
*** 18,24 ****
/** @file mod_pubcookie.c
* Apache pubcookie module
*
! * $Id: mod_pubcookie.c,v 1.192 2005/11/01 15:28:18 dors Exp $
*/
#define MAX_POST_DATA 10485760
--- 18,24 ----
/** @file mod_pubcookie.c
* Apache pubcookie module
*
! * $Id: mod_pubcookie.c,v 1.193 2005/11/09 23:48:59 fox Exp $
*/
#define MAX_POST_DATA 10485760
***************
*** 750,815 ****
return mr;
}
- char *blank_cookie (request_rec * r, char *name)
- {
- const char *cookie_header;
- char *cookie;
- char *ptr;
- pool *p = r->pool;
- request_rec *mr = top_rrec (r);
- char *c2;
- char *name_w_eq;
- pubcookie_server_rec *scfg;
- scfg =
- (pubcookie_server_rec *) ap_get_module_config (r->server->
- module_config,
- &pubcookie_module);
-
- if (scfg->noblank)
- return (NULL);
-
- /* If we've stashed the cookie, we know it's already blanked */
- if (ap_table_get (mr->notes, name) ||
- !(cookie_header = ap_table_get (r->headers_in, "Cookie")))
- return (NULL);
-
- /* add an equal on the end */
- name_w_eq = ap_pstrcat (p, name, "=", NULL);
-
- if (!(cookie = strstr (cookie_header, name_w_eq)))
- return (NULL);
-
- cookie += strlen (name_w_eq);
-
- /*
- * Because the cookie blanking affects the whole subrequest chain, we
- * need to stash the cookie away to be used again later. We need cookies
- * to persist among subrequests, either because subrequests need the
- * cookie, such as in mod_cern_meta, or because the first time fixups is
- * run and blanks the cookies is during a subrequest itself.
- *
- * Because of all this, we stash in the topmost request's notes table.
- * Note that we must use the topmost request's pool instead of our own
- * pool!
- */
- c2 = ap_pstrdup (mr->pool, cookie);
- if ((ptr = strchr (c2, ';')))
- *ptr = '\0';
- ap_table_set (mr->notes, name, c2);
-
- ptr = cookie;
- while (*ptr) {
- if (*ptr == ';')
- break;
- *ptr = PBC_X_CHAR;
- ptr++;
- }
-
- ap_table_set (r->headers_in, "Cookie", cookie_header);
-
- return (ptr);
-
- }
/* Herein we deal with the redirect of the request to the login server */
/* if it was only that simple ... */
--- 750,755 ----
***************
*** 1129,1145 ****
* We don't bother with using the topmost request when playing with the
* headers because only the pointer is copied, anyway.
*/
! char *get_cookie (request_rec * r, char *name)
{
const char *cookie_header;
char *cookie, *ptr;
request_rec *mr = top_rrec (r);
char *name_w_eq;
pool *p = r->pool;
/* get cookies */
! if ((cookie_header = ap_table_get (mr->notes, name)))
return ap_pstrdup (p, cookie_header);
if (!(cookie_header = ap_table_get (r->headers_in, "Cookie")))
return NULL;
--- 1069,1097 ----
* We don't bother with using the topmost request when playing with the
* headers because only the pointer is copied, anyway.
*/
! char *get_cookie (request_rec * r, char *name, int n)
{
const char *cookie_header;
+ char *chp;
char *cookie, *ptr;
request_rec *mr = top_rrec (r);
char *name_w_eq;
pool *p = r->pool;
+ pubcookie_server_rec *scfg;
+ int i;
+
+ scfg =
+ (pubcookie_server_rec *) ap_get_module_config (r->server->
+ module_config,
+ &pubcookie_module);
+
+ ap_log_rerror (PC_LOG_DEBUG, r, "get_cookie: %s (%d)", name, n);
/* get cookies */
! if ((n==0) && (cookie_header = ap_table_get (mr->notes, name))&&(*cookie_header)) {
! ap_log_rerror (PC_LOG_DEBUG, r, " .. by cache: %s", cookie_header);
return ap_pstrdup (p, cookie_header);
+ }
if (!(cookie_header = ap_table_get (r->headers_in, "Cookie")))
return NULL;
***************
*** 1147,1158 ****
name_w_eq = ap_pstrcat (p, name, "=", NULL);
/* find the one that's pubcookie */
! if (!(cookie_header = strstr (cookie_header, name_w_eq)))
! return NULL;
!
! cookie_header += strlen (name_w_eq);
! cookie = ap_pstrdup (p, cookie_header);
ptr = cookie;
while (*ptr) {
--- 1099,1110 ----
name_w_eq = ap_pstrcat (p, name, "=", NULL);
/* find the one that's pubcookie */
! for (chp=(char*)cookie_header,i=0;i<=n;i++) {
! if (!(chp = strstr(chp, name_w_eq))) return NULL;
! chp += strlen (name_w_eq);
! }
! cookie = ap_pstrdup (p, chp);
ptr = cookie;
while (*ptr) {
***************
*** 1161,1168 ****
ptr++;
}
! blank_cookie (r, name);
! return cookie;
}
--- 1113,1132 ----
ptr++;
}
! // cache and blank cookie
! ptr = ap_pstrdup (mr->pool, cookie);
! ap_table_set (mr->notes, name, ptr);
!
! if (!scfg->noblank) {
! for (ptr=chp; *ptr&&*ptr!=';'; ptr++) *ptr = PBC_X_CHAR;
! ap_table_set (r->headers_in, "Cookie", cookie_header);
! }
!
! if (*cookie) {
! ap_log_rerror (PC_LOG_DEBUG, r, " .. return: %s", cookie);
! return cookie;
! }
! return (NULL);
}
***************
*** 1457,1462 ****
--- 1421,1427 ----
pbc_cookie_data *cookie_data = NULL;
char *cookie = NULL;
pool *p = r->pool;
+ int ccnt = 0;
cfg = (pubcookie_dir_rec *) ap_get_module_config (r->per_dir_config,
&pubcookie_module);
***************
*** 1466,1485 ****
&pubcookie_module);
ap_log_rerror (PC_LOG_DEBUG, r, "retrieving a pre-session ckookie");
! if ((cookie = get_cookie (r, PBC_PRE_S_COOKIENAME)) == NULL)
! ap_log_rerror (PC_LOG_INFO, r,
! "get_pre_s_from_cookie: no pre_s cookie, uri: %s\n",
! r->uri);
! else
cookie_data = libpbc_unbundle_cookie (p, scfg->sectext,
cookie, ME (r), 0,
scfg->crypt_alg);
!
! if (cookie_data == NULL) {
ap_log_rerror (PC_LOG_INFO, r,
"get_pre_s_from_cookie: can't unbundle pre_s cookie uri: %s\n",
r->uri);
! return -1;
}
return ((*cookie_data).broken.pre_sess_token);
--- 1431,1451 ----
&pubcookie_module);
ap_log_rerror (PC_LOG_DEBUG, r, "retrieving a pre-session ckookie");
! while (cookie = get_cookie (r, PBC_PRE_S_COOKIENAME, ccnt)) {
cookie_data = libpbc_unbundle_cookie (p, scfg->sectext,
cookie, ME (r), 0,
scfg->crypt_alg);
! if (cookie_data) break;
ap_log_rerror (PC_LOG_INFO, r,
"get_pre_s_from_cookie: can't unbundle pre_s cookie uri: %s\n",
r->uri);
! ccnt++;
! }
! if (!cookie_data) {
! ap_log_rerror (PC_LOG_INFO, r,
! "get_pre_s_from_cookie: no pre_s cookie, uri: %s\n",
! r->uri);
! return (-1);
}
return ((*cookie_data).broken.pre_sess_token);
***************
*** 1608,1614 ****
char *new_cookie = ap_palloc (p, PBC_1K);
int cred_from_trans;
int pre_sess_from_cookie;
! int bogus_g = 0; /* remember if we get a g cookie we can't unbundle */
/* get defaults for unset args */
pubcookie_dir_defaults (cfg);
--- 1574,1581 ----
char *new_cookie = ap_palloc (p, PBC_1K);
int cred_from_trans;
int pre_sess_from_cookie;
! int gcnt = 0;
! int scnt = 0;
/* get defaults for unset args */
pubcookie_dir_defaults (cfg);
***************
*** 1673,1724 ****
fail to decrypt aren't for our app server. In cases where the crypt
key is incorrect on the app server this will cause looping */
cookie_data = NULL;
! if ((cookie = get_cookie (r, PBC_G_COOKIENAME))
! && strcmp (cookie, "") != 0
! && (scfg->use_post || get_cookie (r, PBC_PRE_S_COOKIENAME))) {
cookie_data =
libpbc_unbundle_cookie (p, scfg->sectext, cookie,
ap_get_server_name (r), 1,
scfg->crypt_alg);
! if (!cookie_data) {
! ap_log_rerror (PC_LOG_INFO, r,
! "can't unbundle G cookie, it's probably not for us; uri: %s\n",
! r->uri);
! bogus_g = 1;
! clear_granting_cookie (r);
! }
}
! /* do we hav a session cookie for this appid? if not check the g cookie */
if (!cookie_data || strncasecmp ((const char *) appid (r),
(const char *) cookie_data->broken.
appid,
sizeof (cookie_data->broken.appid) -
1) != 0) {
! if (!(cookie = get_cookie (r, sess_cookie_name))
! || strcmp (cookie, "") == 0) {
!
! ap_log_rerror (PC_LOG_DEBUG, r,
! "No G or S cookie; uri: %s appid: %s sess_cookie_name: %s",
! r->uri, appid (r), sess_cookie_name);
! rr->failed = PBC_BAD_AUTH;
! rr->redir_reason_no = PBC_RR_NOGORS_CODE;
! return OK;
! } else { /* hav S cookie */
!
cookie_data =
libpbc_unbundle_cookie (p, scfg->sectext, cookie, NULL, 0,
scfg->crypt_alg);
! if (!cookie_data) {
! ap_log_rerror (PC_LOG_INFO, r,
! "can't unbundle S cookie; uri: %s\n",
! r->uri);
! rr->failed = PBC_BAD_AUTH;
! rr->redir_reason_no = PBC_RR_BADS_CODE;
! return OK;
! } else {
! rr->cookie_data = cookie_data;
! }
/* we tell everyone what authentication check we did */
r->AUTH_TYPE = ap_pstrdup (p, ap_auth_type (r));
--- 1640,1680 ----
fail to decrypt aren't for our app server. In cases where the crypt
key is incorrect on the app server this will cause looping */
cookie_data = NULL;
! while ((cookie = get_cookie (r, PBC_G_COOKIENAME, gcnt))
! && (scfg->use_post || get_cookie (r, PBC_PRE_S_COOKIENAME, 0))) {
cookie_data =
libpbc_unbundle_cookie (p, scfg->sectext, cookie,
ap_get_server_name (r), 1,
scfg->crypt_alg);
! if (cookie_data) break;
! ap_log_rerror (PC_LOG_INFO, r,
! "can't unbundle G cookie, it's probably not for us; uri: %s\n",
! r->uri);
! gcnt++;
! clear_granting_cookie (r);
}
! /* If no valid granting cookie, check session cookie */
if (!cookie_data || strncasecmp ((const char *) appid (r),
(const char *) cookie_data->broken.
appid,
sizeof (cookie_data->broken.appid) -
1) != 0) {
! while (cookie = get_cookie (r, sess_cookie_name, scnt)) {
cookie_data =
libpbc_unbundle_cookie (p, scfg->sectext, cookie, NULL, 0,
scfg->crypt_alg);
!
! if (cookie_data) break;
! ap_log_rerror (PC_LOG_INFO, r,
! "can't unbundle S cookie; uri: %s\n",
! r->uri);
! scnt++;
! }
!
! if (cookie_data) {
!
! rr->cookie_data = cookie_data;
/* we tell everyone what authentication check we did */
r->AUTH_TYPE = ap_pstrdup (p, ap_auth_type (r));
***************
*** 1826,1831 ****
--- 1782,1796 ----
return OK;
}
+ } else { /* hav S cookie */
+
+ ap_log_rerror (PC_LOG_DEBUG, r,
+ "No G or S cookie; uri: %s appid: %s sess_cookie_name: %s",
+ r->uri, appid (r), sess_cookie_name);
+ rr->failed = PBC_BAD_AUTH;
+ rr->redir_reason_no = PBC_RR_NOGORS_CODE;
+ return OK;
+
} /* end if session cookie */
} else {
***************
*** 1984,1990 ****
/* extensions */
/* transcred */
! cookie = get_cookie (r, PBC_CRED_TRANSFER_COOKIENAME);
cred_from_trans = 1;
if (!cookie) {
char *mycookie;
--- 1949,1955 ----
/* extensions */
/* transcred */
! cookie = get_cookie (r, PBC_CRED_TRANSFER_COOKIENAME, 0);
cred_from_trans = 1;
if (!cookie) {
char *mycookie;
***************
*** 1994,2000 ****
appid (r));
cred_from_trans = 0; /* not transferring creds */
! cookie = get_cookie (r, mycookie);
}
if (cookie) {
char *blob = ap_palloc (p, strlen (cookie));
--- 1959,1965 ----
appid (r));
cred_from_trans = 0; /* not transferring creds */
! cookie = get_cookie (r, mycookie, 0);
}
if (cookie) {
char *blob = ap_palloc (p, strlen (cookie));
***************
*** 2165,2171 ****
return OK;
}
! /* Scan the request's cookies for those of interest to us */
static int pubcookie_hparse (request_rec * r)
{
char *cookies;
--- 2130,2137 ----
return OK;
}
! /* See if we should augment the directives */
!
static int pubcookie_hparse (request_rec * r)
{
char *cookies;
***************
*** 2187,2208 ****
*nextcookie++ = '\0';
while (*nextcookie && *nextcookie == ' ')
++nextcookie;
- }
- /* the module might be run on the login server don't blank g req */
- if (strncasecmp
- (c, PBC_G_REQ_COOKIENAME, sizeof (PBC_G_REQ_COOKIENAME) - 1)
- &&
- (!strncasecmp
- (c, PBC_G_COOKIENAME, sizeof (PBC_G_COOKIENAME) - 1)
- || !strncasecmp (c, PBC_PRE_S_COOKIENAME,
- sizeof (PBC_PRE_S_COOKIENAME) - 1)
- || !strncasecmp (c, PBC_S_COOKIENAME,
- sizeof (PBC_S_COOKIENAME) - 1))) {
- char *s = strchr (c, '=');
- if (s) {
- *s = '\0';
- get_cookie (r, c);
- }
}
/* Look for the directive key cookie */
--- 2153,2158 ----
end of message
More information about the pubcookie-dev
mailing list