Replace bespoke cookie parsing with ap_cookie_read()#202
Replace bespoke cookie parsing with ap_cookie_read()#202dhawes merged 4 commits intoapereo:masterfrom
Conversation
|
I'm all for this but want to note that this will leave Apache 2.2 support behind. I'm personally for that since it's been end-of-life for going on 5 years, but still wanted to note it. I'll review and test. Thanks for the patch! |
|
Yeah, it seems safe to no longer care about Apache 2.2. In addition to the upstream EOL date I also had a look at what the various LTS Linux distros ship (in their oldest still supported release):
|
The %%%x format string resolves to the literal "%" and the hex representation of the character to be encoded, but is always asssumed to return three characters. However for a small value like e.g. 7 it would return "%7" instead. None of the current two call sites of the function use such a small value, but apply correct padding just in case the function might be used elsewhere in the future.
dhawes
left a comment
dhawes
left a comment
There was a problem hiding this comment.
This change looks good, I just added one suggestion to get rid of compile warnings.
I would like to update the README to note that Apache 2.4 is the only supported version. I can take that (simple) task.
I'm not sure if you meant for the urlEncode() changes to go with this PR, but no objections from me.
Co-authored-by: David Hawes <dhawes@gmail.com>
The upstream support for Apache 2.2.x ended on 2018-01-01 and also none of the long term Linux distros still support it, looking at the latest still supported releases: * Debian 8 ELTS has Apache httpd 2.4.10 * Ubuntu 14.4 has Apache httpd 2.4.5 * RHEL 7 has Apache httpd 2.4.6 * SLES 11 has Apache httpd 2.4.23
|
I've added a documentation entry to the README to mention that 2.4 is now required and did another smoke test on two CAS-enabled services using the latest version of the PR. (It also includes a small correctness fix which we had in our internal .deb package already and which is also included in the PR, it's a NOP for all current call sites of urlEncode(). With Apache 2.4 officially the base line, this also obsoletes CASAuthoritative. I can make a separate PR for that in the next days. |
dhawes
left a comment
dhawes
left a comment
There was a problem hiding this comment.
Changes look good, thanks for doing the legwork to look at supported distro versions.
I'll likely do a clean up pass in the near future to remove some Apache 2.2-specific #ifdefs as well.
|
WIP pull request to remove Apache 2.2: |
|
We may need to revisit using ap_cookie_read(). A user noted that they were getting into a redirect loop, and it turns out it's because of that change: If multiple mod_auth_cas cookies are sent, APR_EGENERAL is returned, which results in a redirect. This looks to be a common situation depending on a user's Apache config, and certainly is a change from previous versions. Perhaps we can grab the cookie directly with apr_table_do()? |
3 participants
Simplify the code by moving the cookie parsing to use ap_cookie_read(). We're running that patch on several servers in Wikimedia's CAS installation without problems.