1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #include "util_cookies.h"
19 #include "apr_strings.h"
20 #include "http_config.h"
21 #include "http_core.h"
24 #define LOG_PREFIX "ap_cookie: "
26 /* we know core's module_index is 0 */
27 #undef APLOG_MODULE_INDEX
28 #define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX
31 * Write an RFC2109 compliant cookie.
33 * @param r The request
34 * @param name The name of the cookie.
35 * @param val The value to place in the cookie.
36 * @param attrs The string containing additional cookie attributes. If NULL, the
37 * DEFAULT_ATTRS will be used.
38 * @param maxage If non zero, a Max-Age header will be added to the cookie.
40 AP_DECLARE(apr_status_t) ap_cookie_write(request_rec * r, const char *name, const char *val,
41 const char *attrs, long maxage, ...)
52 buffer = apr_pstrcat(r->pool, "Max-Age=", apr_ltoa(r->pool, maxage), ";", NULL);
55 /* create RFC2109 compliant cookie */
56 rfc2109 = apr_pstrcat(r->pool, name, "=", val, ";", buffer,
57 attrs && *attrs ? attrs : DEFAULT_ATTRS, NULL);
58 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00007) LOG_PREFIX
59 "user '%s' set cookie: '%s'", r->user, rfc2109);
61 /* write the cookie to the header table(s) provided */
63 while ((t = va_arg(vp, apr_table_t *))) {
64 apr_table_addn(t, SET_COOKIE, rfc2109);
73 * Write an RFC2965 compliant cookie.
75 * @param r The request
76 * @param name2 The name of the cookie.
77 * @param val The value to place in the cookie.
78 * @param attrs2 The string containing additional cookie attributes. If NULL, the
79 * DEFAULT_ATTRS will be used.
80 * @param maxage If non zero, a Max-Age header will be added to the cookie.
82 AP_DECLARE(apr_status_t) ap_cookie_write2(request_rec * r, const char *name2, const char *val,
83 const char *attrs2, long maxage, ...)
94 buffer = apr_pstrcat(r->pool, "Max-Age=", apr_ltoa(r->pool, maxage), ";", NULL);
97 /* create RFC2965 compliant cookie */
98 rfc2965 = apr_pstrcat(r->pool, name2, "=", val, ";", buffer,
99 attrs2 && *attrs2 ? attrs2 : DEFAULT_ATTRS, NULL);
100 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00008) LOG_PREFIX
101 "user '%s' set cookie2: '%s'", r->user, rfc2965);
103 /* write the cookie to the header table(s) provided */
104 va_start(vp, maxage);
105 while ((t = va_arg(vp, apr_table_t *))) {
106 apr_table_addn(t, SET_COOKIE2, rfc2965);
115 * Remove an RFC2109 compliant cookie.
117 * @param r The request
118 * @param name The name of the cookie.
120 AP_DECLARE(apr_status_t) ap_cookie_remove(request_rec * r, const char *name, const char *attrs, ...)
125 /* create RFC2109 compliant cookie */
126 const char *rfc2109 = apr_pstrcat(r->pool, name, "=;Max-Age=0;",
127 attrs ? attrs : CLEAR_ATTRS, NULL);
128 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00009) LOG_PREFIX
129 "user '%s' removed cookie: '%s'", r->user, rfc2109);
131 /* write the cookie to the header table(s) provided */
133 while ((t = va_arg(vp, apr_table_t *))) {
134 apr_table_addn(t, SET_COOKIE, rfc2109);
143 * Remove an RFC2965 compliant cookie.
145 * @param r The request
146 * @param name2 The name of the cookie.
148 AP_DECLARE(apr_status_t) ap_cookie_remove2(request_rec * r, const char *name2, const char *attrs2, ...)
153 /* create RFC2965 compliant cookie */
154 const char *rfc2965 = apr_pstrcat(r->pool, name2, "=;Max-Age=0;",
155 attrs2 ? attrs2 : CLEAR_ATTRS, NULL);
156 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00010) LOG_PREFIX
157 "user '%s' removed cookie2: '%s'", r->user, rfc2965);
159 /* write the cookie to the header table(s) provided */
160 va_start(vp, attrs2);
161 while ((t = va_arg(vp, apr_table_t *))) {
162 apr_table_addn(t, SET_COOKIE2, rfc2965);
170 /* Iterate through the cookies, isolate our cookie and then remove it.
172 * If our cookie appears two or more times, but with different values,
173 * remove it twice and set the duplicated flag to true. Remove any
174 * $path or other attributes following our cookie if present. If we end
175 * up with an empty cookie, remove the whole header.
177 static int extract_cookie_line(void *varg, const char *key, const char *val)
179 ap_cookie_do *v = varg;
181 char *cookie = apr_pstrdup(v->r->pool, val);
182 const char *name = apr_pstrcat(v->r->pool, v->name ? v->name : "", "=", NULL);
183 apr_size_t len = strlen(name);
184 const char *new_cookie = "";
185 const char *comma = ",";
187 const char *semi = ";";
189 const char *sep = "";
192 /* find the cookie called name */
194 next1 = apr_strtok(cookie, comma, &last1);
196 next2 = apr_strtok(next1, semi, &last2);
199 while (apr_isspace(*trim)) {
202 if (!strncmp(trim, name, len)) {
204 if (strcmp(v->encoded, trim + len)) {
208 v->encoded = apr_pstrdup(v->r->pool, trim + len);
217 new_cookie = apr_pstrcat(v->r->pool, new_cookie, sep, next2, NULL);
220 next2 = apr_strtok(NULL, semi, &last2);
224 next1 = apr_strtok(NULL, comma, &last1);
228 /* any cookies left over? */
230 apr_table_addn(v->new_cookies, key, new_cookie);
237 * Read a cookie called name, placing its value in val.
239 * Both the Cookie and Cookie2 headers are scanned for the cookie.
241 * If the cookie is duplicated, this function returns APR_EGENERAL. If found,
242 * and if remove is non zero, the cookie will be removed from the headers, and
243 * thus kept private from the backend.
245 AP_DECLARE(apr_status_t) ap_cookie_read(request_rec * r, const char *name, const char **val,
252 v.new_cookies = apr_table_make(r->pool, 10);
256 apr_table_do(extract_cookie_line, &v, r->headers_in,
257 "Cookie", "Cookie2", NULL);
259 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00011) LOG_PREFIX
260 "client submitted cookie '%s' more than once: %s", v.name, r->uri);
264 /* remove our cookie(s), and replace them */
266 apr_table_unset(r->headers_in, "Cookie");
267 apr_table_unset(r->headers_in, "Cookie2");
268 r->headers_in = apr_table_overlay(r->pool, r->headers_in, v.new_cookies);
278 * Sanity check a given string that it exists, is not empty,
279 * and does not contain the special characters '=', ';' and '&'.
281 * It is used to sanity check the cookie names.
283 AP_DECLARE(apr_status_t) ap_cookie_check_string(const char *string)
285 if (!string || !*string || ap_strchr_c(string, '=') || ap_strchr_c(string, '&') ||
286 ap_strchr_c(string, ';')) {