Replace bespoke cookie parsing with ap_cookie_read() (#202)

mmuehlenhoff · muehlenhoff · Moritz Muehlenhoff · web-flow · commit c6422481be29 · 2022-03-25T11:03:33.000-04:00
* Replace bespoke cookie parsing with ap_cookie_read()

* Fix escaping for small chars in urlEncode()

The %%%x format string resolves to the literal "%" and the hex representation
of the character to be encoded, but is always asssumed to return three characters.

However for a small value like e.g. 7 it would return "%7" instead. None of the
current two call sites of the function use such a small value, but apply correct
padding just in case the function might be used elsewhere in the future.

* Update src/mod_auth_cas.c

Co-authored-by: David Hawes &lt;dhawes@gmail.com&gt;

* Update docs to require Apache 2.4

The upstream support for Apache 2.2.x ended on 2018-01-01 and also none of
the long term Linux distros still support it, looking at the latest still
supported releases:

* Debian 8 ELTS has Apache httpd 2.4.10
* Ubuntu 14.4 has Apache httpd 2.4.5
* RHEL 7 has Apache httpd 2.4.6
* SLES 11 has Apache httpd 2.4.23

Co-authored-by: Moritz Muehlenhoff &lt;jmm@debian.org&gt;
Co-authored-by: Moritz Muehlenhoff &lt;moritz@wikimedia.org&gt;
Co-authored-by: David Hawes &lt;dhawes@gmail.com&gt;
diff --git a/README b/README
@@ -47,7 +47,7 @@ The following development libraries and utilities must be installed:
 * OpenSSL - 0.9.8c or higher
 * Apache Portable Runtime - 1.5.0 or higher
 * Apache Portable Runtime Utilities - 1.3.0 or higher
-* Apache Web Server - 2.2.3 or higher
+* Apache Web Server - 2.4 or higher
 * libcurl - 7.18.2 or higher
 * libpcre - 7.8 or higher
 
diff --git a/src/mod_auth_cas.c b/src/mod_auth_cas.c
@@ -53,6 +53,7 @@
 #include "apr_thread_mutex.h"
 #include "apr_strings.h"
 #include "apr_xml.h"
+#include "util_cookies.h"
 
 #include "cas_saml_attr.h"
 
@@ -780,27 +781,9 @@ char *getCASTicket(request_rec *r)
 
 char *getCASCookie(request_rec *r, char *cookieName)
 {
-	char *cookie, *tokenizerCtx, *rv = NULL;
-	char *cookies = apr_pstrdup(r->pool, (char *) apr_table_get(r->headers_in, "Cookie"));
-
-	if(cookies != NULL) {
-		/* tokenize on ; to find the cookie we want */
-		cookie = apr_strtok(cookies, ";", &tokenizerCtx);
-		while (cookie != NULL) {
-			while (*cookie == ' ') {
-				cookie++;
-			}
-			if (strncmp(cookie, cookieName, strlen(cookieName)) == 0) {
-			  /* skip to the meat of the parameter (the value after the '=') */
-				cookie += (strlen(cookieName)+1);
-				rv = apr_pstrdup(r->pool, cookie);
-				break;
-			}
-			cookie = apr_strtok(NULL, ";", &tokenizerCtx);
-		}
-	}
-
-	return rv;
+	const char *rv = NULL;
+	ap_cookie_read(r, cookieName, &rv, 0);
+	return(apr_pstrdup(r->pool, rv));
 }
 
 void setCASCookie(request_rec *r, char *cookieName, char *cookieValue, apr_byte_t secure, apr_time_t expireTime, char *cookieDomain, char *cookieSameSite)
@@ -916,7 +899,7 @@ char *urlEncode(const request_rec *r, const char *str,
 		escaped = FALSE;
 		for(i = 0; i < limit; i++) {
 			if(*q == charsToEncode[i]) {
-				sprintf(p, "%%%x", charsToEncode[i]);
+				sprintf(p, "%%%02x", charsToEncode[i]);
 				p+= 3;
 				escaped = TRUE;
 				break;
