|
|
6e7331 |
From 8719323667740a50118cff15dfb6f4750524d19f Mon Sep 17 00:00:00 2001
|
|
|
6e7331 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
6e7331 |
Date: Wed, 26 Aug 2020 12:04:14 +0200
|
|
|
6e7331 |
Subject: [PATCH 9/9] Backport setting an extra cookie parameter
|
|
|
6e7331 |
|
|
|
6e7331 |
---
|
|
|
6e7331 |
src/mod_auth_openidc.c | 12 ++++++------
|
|
|
6e7331 |
src/mod_auth_openidc.h | 2 +-
|
|
|
6e7331 |
src/session.c | 6 +++---
|
|
|
6e7331 |
src/util.c | 4 +++-
|
|
|
6e7331 |
4 files changed, 13 insertions(+), 11 deletions(-)
|
|
|
6e7331 |
|
|
|
6e7331 |
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
|
|
|
6e7331 |
index 3a11a98..6c86271 100644
|
|
|
6e7331 |
--- a/src/mod_auth_openidc.c
|
|
|
6e7331 |
+++ b/src/mod_auth_openidc.c
|
|
|
6e7331 |
@@ -477,7 +477,7 @@ static void oidc_clean_expired_state_cookies(request_rec *r, oidc_cfg *c) {
|
|
|
6e7331 |
apr_time_t now = apr_time_sec(apr_time_now());
|
|
|
6e7331 |
if (now > json_integer_value(v) + c->state_timeout) {
|
|
|
6e7331 |
oidc_error(r, "state has expired");
|
|
|
6e7331 |
- oidc_util_set_cookie(r, cookieName, "", 0);
|
|
|
6e7331 |
+ oidc_util_set_cookie(r, cookieName, "", 0, NULL);
|
|
|
6e7331 |
}
|
|
|
6e7331 |
json_decref(state);
|
|
|
6e7331 |
}
|
|
|
6e7331 |
@@ -509,7 +509,7 @@ static apr_byte_t oidc_restore_proto_state(request_rec *r, oidc_cfg *c,
|
|
|
6e7331 |
}
|
|
|
6e7331 |
|
|
|
6e7331 |
/* clear state cookie because we don't need it anymore */
|
|
|
6e7331 |
- oidc_util_set_cookie(r, cookieName, "", 0);
|
|
|
6e7331 |
+ oidc_util_set_cookie(r, cookieName, "", 0, NULL);
|
|
|
6e7331 |
|
|
|
6e7331 |
*proto_state = oidc_get_state_from_cookie(r, cookieValue);
|
|
|
6e7331 |
if (*proto_state == NULL) return FALSE;
|
|
|
6e7331 |
@@ -576,7 +576,7 @@ static apr_byte_t oidc_authorization_request_set_cookie(request_rec *r,
|
|
|
6e7331 |
const char *cookieName = oidc_get_state_cookie_name(r, state);
|
|
|
6e7331 |
|
|
|
6e7331 |
/* set it as a cookie */
|
|
|
6e7331 |
- oidc_util_set_cookie(r, cookieName, cookieValue, -1);
|
|
|
6e7331 |
+ oidc_util_set_cookie(r, cookieName, cookieValue, -1, NULL);
|
|
|
6e7331 |
|
|
|
6e7331 |
free(s_value);
|
|
|
6e7331 |
|
|
|
6e7331 |
@@ -1644,7 +1644,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {
|
|
|
6e7331 |
oidc_debug(r, "redirecting to external discovery page: %s", url);
|
|
|
6e7331 |
|
|
|
6e7331 |
/* set CSRF cookie */
|
|
|
6e7331 |
- oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1);
|
|
|
6e7331 |
+ oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, NULL);
|
|
|
6e7331 |
|
|
|
6e7331 |
/* do the actual redirect to an external discovery page */
|
|
|
6e7331 |
apr_table_add(r->headers_out, "Location", url);
|
|
|
6e7331 |
@@ -1705,7 +1705,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {
|
|
|
6e7331 |
"%s<input type=\"submit\" value=\"Submit\"> \n", s);
|
|
|
6e7331 |
s = apr_psprintf(r->pool, "%s</form>\n", s);
|
|
|
6e7331 |
|
|
|
6e7331 |
- oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1);
|
|
|
6e7331 |
+ oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, NULL);
|
|
|
6e7331 |
|
|
|
6e7331 |
/* now send the HTML contents to the user agent */
|
|
|
6e7331 |
return oidc_util_html_send(r, "OpenID Connect Provider Discovery",
|
|
|
6e7331 |
@@ -1935,7 +1935,7 @@ static int oidc_handle_discovery_response(request_rec *r, oidc_cfg *c) {
|
|
|
6e7331 |
if (csrf_cookie) {
|
|
|
6e7331 |
|
|
|
6e7331 |
/* clean CSRF cookie */
|
|
|
6e7331 |
- oidc_util_set_cookie(r, OIDC_CSRF_NAME, "", 0);
|
|
|
6e7331 |
+ oidc_util_set_cookie(r, OIDC_CSRF_NAME, "", 0, NULL);
|
|
|
6e7331 |
|
|
|
6e7331 |
/* compare CSRF cookie value with query parameter value */
|
|
|
6e7331 |
if ((csrf_query == NULL)
|
|
|
6e7331 |
diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
|
|
|
6e7331 |
index 6f6bd92..d6c5050 100644
|
|
|
6e7331 |
--- a/src/mod_auth_openidc.h
|
|
|
6e7331 |
+++ b/src/mod_auth_openidc.h
|
|
|
6e7331 |
@@ -433,7 +433,7 @@ char *oidc_get_current_url(request_rec *r);
|
|
|
6e7331 |
char *oidc_url_encode(const request_rec *r, const char *str, const char *charsToEncode);
|
|
|
6e7331 |
char *oidc_normalize_header_name(const request_rec *r, const char *str);
|
|
|
6e7331 |
|
|
|
6e7331 |
-void oidc_util_set_cookie(request_rec *r, const char *cookieName, const char *cookieValue, apr_time_t expires);
|
|
|
6e7331 |
+void oidc_util_set_cookie(request_rec *r, const char *cookieName, const char *cookieValue, apr_time_t expires, const char *ext);
|
|
|
6e7331 |
char *oidc_util_get_cookie(request_rec *r, const char *cookieName);
|
|
|
6e7331 |
apr_byte_t oidc_util_http_get(request_rec *r, const char *url, const apr_table_t *params, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy, apr_array_header_t *pass_cookies);
|
|
|
6e7331 |
apr_byte_t oidc_util_http_post_form(request_rec *r, const char *url, const apr_table_t *params, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy, apr_array_header_t *pass_cookies);
|
|
|
6e7331 |
diff --git a/src/session.c b/src/session.c
|
|
|
6e7331 |
index 6b5f311..28b43d0 100644
|
|
|
6e7331 |
--- a/src/session.c
|
|
|
6e7331 |
+++ b/src/session.c
|
|
|
6e7331 |
@@ -380,7 +380,7 @@ static apr_status_t oidc_session_save_cache(request_rec *r, session_rec *z) {
|
|
|
6e7331 |
|
|
|
6e7331 |
/* set the uuid in the cookie */
|
|
|
6e7331 |
oidc_util_set_cookie(r, d->cookie, key,
|
|
|
6e7331 |
- c->persistent_session_cookie ? z->expiry : -1);
|
|
|
6e7331 |
+ c->persistent_session_cookie ? z->expiry : -1, NULL);
|
|
|
6e7331 |
|
|
|
6e7331 |
/* store the string-encoded session in the cache */
|
|
|
6e7331 |
c->cache->set(r, OIDC_CACHE_SECTION_SESSION, key, z->encoded,
|
|
|
6e7331 |
@@ -389,7 +389,7 @@ static apr_status_t oidc_session_save_cache(request_rec *r, session_rec *z) {
|
|
|
6e7331 |
} else {
|
|
|
6e7331 |
|
|
|
6e7331 |
/* clear the cookie */
|
|
|
6e7331 |
- oidc_util_set_cookie(r, d->cookie, "", 0);
|
|
|
6e7331 |
+ oidc_util_set_cookie(r, d->cookie, "", 0, NULL);
|
|
|
6e7331 |
|
|
|
6e7331 |
/* remove the session from the cache */
|
|
|
6e7331 |
c->cache->set(r, OIDC_CACHE_SECTION_SESSION, key, NULL, 0);
|
|
|
6e7331 |
@@ -430,7 +430,7 @@ static apr_status_t oidc_session_save_cookie(request_rec *r, session_rec *z) {
|
|
|
6e7331 |
}
|
|
|
6e7331 |
}
|
|
|
6e7331 |
oidc_util_set_cookie(r, d->cookie, cookieValue,
|
|
|
6e7331 |
- c->persistent_session_cookie ? z->expiry : -1);
|
|
|
6e7331 |
+ c->persistent_session_cookie ? z->expiry : -1, NULL);
|
|
|
6e7331 |
|
|
|
6e7331 |
return APR_SUCCESS;
|
|
|
6e7331 |
}
|
|
|
6e7331 |
diff --git a/src/util.c b/src/util.c
|
|
|
6e7331 |
index 472d0cd..6db64ac 100644
|
|
|
6e7331 |
--- a/src/util.c
|
|
|
6e7331 |
+++ b/src/util.c
|
|
|
6e7331 |
@@ -701,7 +701,7 @@ const char *oidc_util_set_cookie_append_value(request_rec *r, oidc_cfg *c) {
|
|
|
6e7331 |
* set a cookie in the HTTP response headers
|
|
|
6e7331 |
*/
|
|
|
6e7331 |
void oidc_util_set_cookie(request_rec *r, const char *cookieName,
|
|
|
6e7331 |
- const char *cookieValue, apr_time_t expires) {
|
|
|
6e7331 |
+ const char *cookieValue, apr_time_t expires, const char *ext) {
|
|
|
6e7331 |
|
|
|
6e7331 |
oidc_cfg *c = ap_get_module_config(r->server->module_config,
|
|
|
6e7331 |
&auth_openidc_module);
|
|
|
6e7331 |
@@ -736,6 +736,8 @@ void oidc_util_set_cookie(request_rec *r, const char *cookieName,
|
|
|
6e7331 |
if (appendString != NULL)
|
|
|
6e7331 |
headerString = apr_psprintf(r->pool, "%s; %s", headerString,
|
|
|
6e7331 |
appendString);
|
|
|
6e7331 |
+ else if (ext != NULL)
|
|
|
6e7331 |
+ headerString = apr_psprintf(r->pool, "%s; %s", headerString, ext);
|
|
|
6e7331 |
|
|
|
6e7331 |
/* sanity check on overall cookie value size */
|
|
|
6e7331 |
if (strlen(headerString) > 4093) {
|
|
|
6e7331 |
--
|
|
|
6e7331 |
2.26.2
|
|
|
6e7331 |
|