| /* Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| /* User Tracking Module (Was mod_cookies.c) |
| * |
| * *** IMPORTANT NOTE: This module is not designed to generate |
| * *** cryptographically secure cookies. This means you should not |
| * *** use cookies generated by this module for authentication purposes |
| * |
| * This Apache module is designed to track users paths through a site. |
| * It uses the client-side state ("Cookie") protocol developed by Netscape. |
| * It is known to work on most browsers. |
| * |
| * Each time a page is requested we look to see if the browser is sending |
| * us a Cookie: header that we previously generated. |
| * |
| * If we don't find one then the user hasn't been to this site since |
| * starting their browser or their browser doesn't support cookies. So |
| * we generate a unique Cookie for the transaction and send it back to |
| * the browser (via a "Set-Cookie" header) |
| * Future requests from the same browser should keep the same Cookie line. |
| * |
| * By matching up all the requests with the same cookie you can |
| * work out exactly what path a user took through your site. To log |
| * the cookie use the " %{Cookie}n " directive in a custom access log; |
| * |
| * Example 1 : If you currently use the standard Log file format (CLF) |
| * and use the command "TransferLog somefilename", add the line |
| * LogFormat "%h %l %u %t \"%r\" %s %b %{Cookie}n" |
| * to your config file. |
| * |
| * Example 2 : If you used to use the old "CookieLog" directive, you |
| * can emulate it by adding the following command to your config file |
| * CustomLog filename "%{Cookie}n \"%r\" %t" |
| * |
| * Mark Cox, mjc@apache.org, 6 July 95 |
| * |
| * This file replaces mod_cookies.c |
| */ |
| |
| #include "apr.h" |
| #include "apr_lib.h" |
| #include "apr_strings.h" |
| |
| #define APR_WANT_STRFUNC |
| #include "apr_want.h" |
| |
| #include "httpd.h" |
| #include "http_config.h" |
| #include "http_core.h" |
| #include "http_request.h" |
| #include "http_log.h" |
| |
| |
| module AP_MODULE_DECLARE_DATA usertrack_module; |
| |
| typedef struct { |
| int always; |
| int expires; |
| } cookie_log_state; |
| |
| typedef enum { |
| CT_UNSET, |
| CT_NETSCAPE, |
| CT_COOKIE, |
| CT_COOKIE2 |
| } cookie_type_e; |
| |
| typedef struct { |
| int enabled; |
| cookie_type_e style; |
| const char *cookie_name; |
| const char *cookie_domain; |
| char *regexp_string; /* used to compile regexp; save for debugging */ |
| ap_regex_t *regexp; /* used to find usertrack cookie in cookie header */ |
| int is_secure; |
| int is_httponly; |
| const char *samesite; |
| } cookie_dir_rec; |
| |
| /* Make Cookie: Now we have to generate something that is going to be |
| * pretty unique. We can base it on the pid, time, hostip */ |
| |
| #define COOKIE_NAME "Apache" |
| |
| static void make_cookie(request_rec *r) |
| { |
| cookie_log_state *cls = ap_get_module_config(r->server->module_config, |
| &usertrack_module); |
| char cookiebuf[2 * (sizeof(apr_uint64_t) + sizeof(int)) + 2]; |
| unsigned int random; |
| apr_time_t now = r->request_time ? r->request_time : apr_time_now(); |
| char *new_cookie; |
| cookie_dir_rec *dcfg; |
| |
| ap_random_insecure_bytes(&random, sizeof(random)); |
| apr_snprintf(cookiebuf, sizeof(cookiebuf), "%x.%" APR_UINT64_T_HEX_FMT, |
| random, (apr_uint64_t)now); |
| dcfg = ap_get_module_config(r->per_dir_config, &usertrack_module); |
| if (cls->expires) { |
| |
| /* Cookie with date; as strftime '%a, %d-%h-%y %H:%M:%S GMT' */ |
| new_cookie = apr_psprintf(r->pool, "%s=%s; path=/", |
| dcfg->cookie_name, cookiebuf); |
| |
| if ((dcfg->style == CT_UNSET) || (dcfg->style == CT_NETSCAPE)) { |
| apr_time_exp_t tms; |
| apr_time_exp_gmt(&tms, r->request_time |
| + apr_time_from_sec(cls->expires)); |
| new_cookie = apr_psprintf(r->pool, |
| "%s; expires=%s, " |
| "%.2d-%s-%.2d %.2d:%.2d:%.2d GMT", |
| new_cookie, apr_day_snames[tms.tm_wday], |
| tms.tm_mday, |
| apr_month_snames[tms.tm_mon], |
| tms.tm_year % 100, |
| tms.tm_hour, tms.tm_min, tms.tm_sec); |
| } |
| else { |
| new_cookie = apr_psprintf(r->pool, "%s; max-age=%d", |
| new_cookie, cls->expires); |
| } |
| } |
| else { |
| new_cookie = apr_psprintf(r->pool, "%s=%s; path=/", |
| dcfg->cookie_name, cookiebuf); |
| } |
| if (dcfg->cookie_domain != NULL) { |
| new_cookie = apr_pstrcat(r->pool, new_cookie, "; domain=", |
| dcfg->cookie_domain, |
| (dcfg->style == CT_COOKIE2 |
| ? "; version=1" |
| : ""), |
| NULL); |
| } |
| if (dcfg->samesite != NULL) { |
| new_cookie = apr_pstrcat(r->pool, new_cookie, "; ", |
| dcfg->samesite, |
| NULL); |
| } |
| if (dcfg->is_secure) { |
| new_cookie = apr_pstrcat(r->pool, new_cookie, "; Secure", |
| NULL); |
| } |
| if (dcfg->is_httponly) { |
| new_cookie = apr_pstrcat(r->pool, new_cookie, "; HttpOnly", |
| NULL); |
| } |
| |
| |
| |
| apr_table_addn(r->err_headers_out, |
| (dcfg->style == CT_COOKIE2 ? "Set-Cookie2" : "Set-Cookie"), |
| new_cookie); |
| apr_table_setn(r->notes, "cookie", apr_pstrdup(r->pool, cookiebuf)); /* log first time */ |
| } |
| |
| /* dcfg->regexp is "^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+)", |
| * which has three subexpressions, $0..$2 */ |
| #define NUM_SUBS 3 |
| |
| static void set_and_comp_regexp(cookie_dir_rec *dcfg, |
| apr_pool_t *p, |
| const char *cookie_name) |
| { |
| int danger_chars = 0; |
| const char *sp = cookie_name; |
| |
| /* The goal is to end up with this regexp, |
| * ^cookie_name=([^;,]+)|[;,][ \t]+cookie_name=([^;,]+) |
| * with cookie_name obviously substituted either |
| * with the real cookie name set by the user in httpd.conf, or with the |
| * default COOKIE_NAME. */ |
| |
| /* Anyway, we need to escape the cookie_name before pasting it |
| * into the regex |
| */ |
| while (*sp) { |
| if (!apr_isalnum(*sp)) { |
| ++danger_chars; |
| } |
| ++sp; |
| } |
| |
| if (danger_chars) { |
| char *cp; |
| cp = apr_palloc(p, sp - cookie_name + danger_chars + 1); /* 1 == \0 */ |
| sp = cookie_name; |
| cookie_name = cp; |
| while (*sp) { |
| if (!apr_isalnum(*sp)) { |
| *cp++ = '\\'; |
| } |
| *cp++ = *sp++; |
| } |
| *cp = '\0'; |
| } |
| |
| dcfg->regexp_string = apr_pstrcat(p, "^", |
| cookie_name, |
| "=([^;,]+)|[;,][ \t]*", |
| cookie_name, |
| "=([^;,]+)", NULL); |
| |
| dcfg->regexp = ap_pregcomp(p, dcfg->regexp_string, AP_REG_EXTENDED); |
| ap_assert(dcfg->regexp != NULL); |
| } |
| |
| static int spot_cookie(request_rec *r) |
| { |
| cookie_dir_rec *dcfg = ap_get_module_config(r->per_dir_config, |
| &usertrack_module); |
| const char *cookie_header; |
| ap_regmatch_t regm[NUM_SUBS]; |
| |
| /* Do not run in subrequests */ |
| if (!dcfg->enabled || r->main) { |
| return DECLINED; |
| } |
| |
| if ((cookie_header = apr_table_get(r->headers_in, "Cookie"))) { |
| if (!ap_regexec(dcfg->regexp, cookie_header, NUM_SUBS, regm, 0)) { |
| char *cookieval = NULL; |
| int err = 0; |
| /* Our regexp, |
| * ^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+) |
| * only allows for $1 or $2 to be available. ($0 is always |
| * filled with the entire matched expression, not just |
| * the part in parentheses.) So just check for either one |
| * and assign to cookieval if present. */ |
| if (regm[1].rm_so != -1) { |
| cookieval = ap_pregsub(r->pool, "$1", cookie_header, |
| NUM_SUBS, regm); |
| if (cookieval == NULL) |
| err = 1; |
| } |
| if (regm[2].rm_so != -1) { |
| cookieval = ap_pregsub(r->pool, "$2", cookie_header, |
| NUM_SUBS, regm); |
| if (cookieval == NULL) |
| err = 1; |
| } |
| if (err) { |
| ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, APLOGNO(01499) |
| "Failed to extract cookie value (out of mem?)"); |
| return HTTP_INTERNAL_SERVER_ERROR; |
| } |
| /* Set the cookie in a note, for logging */ |
| apr_table_setn(r->notes, "cookie", cookieval); |
| |
| return DECLINED; /* There's already a cookie, no new one */ |
| } |
| } |
| make_cookie(r); |
| return OK; /* We set our cookie */ |
| } |
| |
| static void *make_cookie_log_state(apr_pool_t *p, server_rec *s) |
| { |
| cookie_log_state *cls = |
| (cookie_log_state *) apr_palloc(p, sizeof(cookie_log_state)); |
| |
| cls->expires = 0; |
| |
| return (void *) cls; |
| } |
| |
| static void *make_cookie_dir(apr_pool_t *p, char *d) |
| { |
| cookie_dir_rec *dcfg; |
| |
| dcfg = (cookie_dir_rec *) apr_pcalloc(p, sizeof(cookie_dir_rec)); |
| dcfg->cookie_name = COOKIE_NAME; |
| dcfg->style = CT_UNSET; |
| /* calloc'ed to disabled: enabled, cookie_domain, samesite, is_secure, |
| * is_httponly */ |
| |
| /* In case the user does not use the CookieName directive, |
| * we need to compile the regexp for the default cookie name. */ |
| set_and_comp_regexp(dcfg, p, COOKIE_NAME); |
| |
| return dcfg; |
| } |
| |
| static const char *set_cookie_exp(cmd_parms *parms, void *dummy, |
| const char *arg) |
| { |
| cookie_log_state *cls; |
| time_t factor, modifier = 0; |
| time_t num = 0; |
| char *word; |
| |
| cls = ap_get_module_config(parms->server->module_config, |
| &usertrack_module); |
| /* The simple case first - all numbers (we assume) */ |
| if (apr_isdigit(arg[0]) && apr_isdigit(arg[strlen(arg) - 1])) { |
| cls->expires = atol(arg); |
| return NULL; |
| } |
| |
| /* |
| * The harder case - stolen from mod_expires |
| * |
| * CookieExpires "[plus] {<num> <type>}*" |
| */ |
| |
| word = ap_getword_conf(parms->temp_pool, &arg); |
| if (!strncasecmp(word, "plus", 1)) { |
| word = ap_getword_conf(parms->temp_pool, &arg); |
| }; |
| |
| /* {<num> <type>}* */ |
| while (word[0]) { |
| /* <num> */ |
| if (apr_isdigit(word[0])) |
| num = atoi(word); |
| else |
| return "bad expires code, numeric value expected."; |
| |
| /* <type> */ |
| word = ap_getword_conf(parms->temp_pool, &arg); |
| if (!word[0]) |
| return "bad expires code, missing <type>"; |
| |
| if (!strncasecmp(word, "years", 1)) |
| factor = 60 * 60 * 24 * 365; |
| else if (!strncasecmp(word, "months", 2)) |
| factor = 60 * 60 * 24 * 30; |
| else if (!strncasecmp(word, "weeks", 1)) |
| factor = 60 * 60 * 24 * 7; |
| else if (!strncasecmp(word, "days", 1)) |
| factor = 60 * 60 * 24; |
| else if (!strncasecmp(word, "hours", 1)) |
| factor = 60 * 60; |
| else if (!strncasecmp(word, "minutes", 2)) |
| factor = 60; |
| else if (!strncasecmp(word, "seconds", 1)) |
| factor = 1; |
| else |
| return "bad expires code, unrecognized type"; |
| |
| modifier = modifier + factor * num; |
| |
| /* next <num> */ |
| word = ap_getword_conf(parms->temp_pool, &arg); |
| } |
| |
| cls->expires = modifier; |
| |
| return NULL; |
| } |
| |
| static const char *set_cookie_name(cmd_parms *cmd, void *mconfig, |
| const char *name) |
| { |
| cookie_dir_rec *dcfg = (cookie_dir_rec *) mconfig; |
| |
| dcfg->cookie_name = name; |
| |
| set_and_comp_regexp(dcfg, cmd->pool, name); |
| |
| if (dcfg->regexp == NULL) { |
| return "Regular expression could not be compiled."; |
| } |
| if (dcfg->regexp->re_nsub + 1 != NUM_SUBS) { |
| return apr_pstrcat(cmd->pool, "Invalid cookie name \"", |
| name, "\"", NULL); |
| } |
| |
| return NULL; |
| } |
| |
| /* |
| * Set the value for the 'Domain=' attribute. |
| */ |
| static const char *set_cookie_domain(cmd_parms *cmd, void *mconfig, |
| const char *name) |
| { |
| cookie_dir_rec *dcfg; |
| |
| dcfg = (cookie_dir_rec *) mconfig; |
| |
| /* |
| * Apply the restrictions on cookie domain attributes. |
| */ |
| if (!name[0]) { |
| return "CookieDomain values may not be null"; |
| } |
| if (name[0] != '.') { |
| return "CookieDomain values must begin with a dot"; |
| } |
| if (ap_strchr_c(&name[1], '.') == NULL) { |
| return "CookieDomain values must contain at least one embedded dot"; |
| } |
| |
| dcfg->cookie_domain = name; |
| return NULL; |
| } |
| |
| /* |
| * Make a note of the cookie style we should use. |
| */ |
| static const char *set_cookie_style(cmd_parms *cmd, void *mconfig, |
| const char *name) |
| { |
| cookie_dir_rec *dcfg; |
| |
| dcfg = (cookie_dir_rec *) mconfig; |
| |
| if (strcasecmp(name, "Netscape") == 0) { |
| dcfg->style = CT_NETSCAPE; |
| } |
| else if ((strcasecmp(name, "Cookie") == 0) |
| || (strcasecmp(name, "RFC2109") == 0)) { |
| dcfg->style = CT_COOKIE; |
| } |
| else if ((strcasecmp(name, "Cookie2") == 0) |
| || (strcasecmp(name, "RFC2965") == 0)) { |
| dcfg->style = CT_COOKIE2; |
| } |
| else { |
| return apr_psprintf(cmd->pool, "Invalid %s keyword: '%s'", |
| cmd->cmd->name, name); |
| } |
| |
| return NULL; |
| } |
| |
| /* |
| * SameSite enabled disabled |
| */ |
| |
| static const char *set_samesite_value(cmd_parms *cmd, void *mconfig, |
| const char *name) |
| { |
| cookie_dir_rec *dcfg; |
| |
| dcfg = (cookie_dir_rec *) mconfig; |
| |
| if (strcasecmp(name, "strict") == 0) { |
| dcfg->samesite = "SameSite=Strict"; |
| } else if (strcasecmp(name, "lax") == 0) { |
| dcfg->samesite = "SameSite=Lax"; |
| } else if (strcasecmp(name, "none") == 0) { |
| dcfg->samesite = "SameSite=None"; |
| } else { |
| return "CookieSameSite accepts 'Strict', 'Lax', or 'None'"; |
| } |
| |
| return NULL; |
| } |
| |
| static const command_rec cookie_log_cmds[] = { |
| AP_INIT_TAKE1("CookieExpires", set_cookie_exp, NULL, OR_FILEINFO, |
| "an expiry date code"), |
| AP_INIT_TAKE1("CookieDomain", set_cookie_domain, NULL, OR_FILEINFO, |
| "domain to which this cookie applies"), |
| AP_INIT_TAKE1("CookieStyle", set_cookie_style, NULL, OR_FILEINFO, |
| "'Netscape', 'Cookie' (RFC2109), or 'Cookie2' (RFC2965)"), |
| AP_INIT_FLAG("CookieTracking", ap_set_flag_slot, |
| (void *)APR_OFFSETOF(cookie_dir_rec, enabled), OR_FILEINFO, |
| "whether or not to enable cookies"), |
| AP_INIT_TAKE1("CookieName", set_cookie_name, NULL, OR_FILEINFO, |
| "name of the tracking cookie"), |
| AP_INIT_TAKE1("CookieSameSite", set_samesite_value, NULL, OR_FILEINFO, |
| "SameSite setting"), |
| AP_INIT_FLAG("CookieSecure", ap_set_flag_slot, |
| (void *)APR_OFFSETOF(cookie_dir_rec, is_secure), OR_FILEINFO, |
| "is cookie secure"), |
| AP_INIT_FLAG("CookieHttpOnly", ap_set_flag_slot, |
| (void *)APR_OFFSETOF(cookie_dir_rec, is_httponly),OR_FILEINFO, |
| "is cookie http only"), |
| |
| {NULL} |
| }; |
| |
| static void register_hooks(apr_pool_t *p) |
| { |
| ap_hook_fixups(spot_cookie,NULL,NULL,APR_HOOK_REALLY_FIRST); |
| } |
| |
| AP_DECLARE_MODULE(usertrack) = { |
| STANDARD20_MODULE_STUFF, |
| make_cookie_dir, /* dir config creater */ |
| NULL, /* dir merger --- default is to override */ |
| make_cookie_log_state, /* server config */ |
| NULL, /* merge server configs */ |
| cookie_log_cmds, /* command apr_table_t */ |
| register_hooks /* register hooks */ |
| }; |