/* Licensed to the Apache Software Foundation (ASF) under one or more

 * contributor license agreements.  See the NOTICE file distributed with

 * this work for additional information regarding copyright ownership.

 * The ASF licenses this file to You under the Apache License, Version 2.0

 * (the "License"); you may not use this file except in compliance with

 * the License.  You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#include "util_cookies.h"

#include "apr_lib.h"

#include "apr_strings.h"

#include "http_config.h"

#include "http_core.h"

#include "http_log.h"

#define LOG_PREFIX "ap_cookie: "

/* we know core's module_index is 0 */

#undef APLOG_MODULE_INDEX

#define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX

/**

 * Write an RFC2109 compliant cookie.

 *

 * @param r The request

 * @param name The name of the cookie.

 * @param val The value to place in the cookie.

 * @param attrs The string containing additional cookie attributes. If NULL, the

 *              DEFAULT_ATTRS will be used.

 * @param maxage If non zero, a Max-Age header will be added to the cookie.

 */

AP_DECLARE(apr_status_t) ap_cookie_write(request_rec * r, const char *name, const char *val,

                                         const char *attrs, long maxage, ...)

{

    const char *buffer;

    const char *rfc2109;

    apr_table_t *t;

    va_list vp;

    /* handle expiry */

    buffer = "";

    if (maxage) {

        buffer = apr_pstrcat(r->pool, "Max-Age=", apr_ltoa(r->pool, maxage), ";", NULL);

    }

    /* create RFC2109 compliant cookie */

    rfc2109 = apr_pstrcat(r->pool, name, "=", val, ";", buffer,

                          attrs && *attrs ? attrs : DEFAULT_ATTRS, NULL);

    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00007) LOG_PREFIX

                  "user '%s' set cookie: '%s'", r->user, rfc2109);

    /* write the cookie to the header table(s) provided */

    va_start(vp, maxage);

    while ((t = va_arg(vp, apr_table_t *))) {

        apr_table_addn(t, SET_COOKIE, rfc2109);

    }

    va_end(vp);

    return APR_SUCCESS;

}

/**

 * Write an RFC2965 compliant cookie.

 *

 * @param r The request

 * @param name2 The name of the cookie.

 * @param val The value to place in the cookie.

 * @param attrs2 The string containing additional cookie attributes. If NULL, the

 *               DEFAULT_ATTRS will be used.

 * @param maxage If non zero, a Max-Age header will be added to the cookie.

 */

AP_DECLARE(apr_status_t) ap_cookie_write2(request_rec * r, const char *name2, const char *val,

                                          const char *attrs2, long maxage, ...)

{

    const char *buffer;

    const char *rfc2965;

    apr_table_t *t;

    va_list vp;

    /* handle expiry */

    buffer = "";

    if (maxage) {

        buffer = apr_pstrcat(r->pool, "Max-Age=", apr_ltoa(r->pool, maxage), ";", NULL);

    }

    /* create RFC2965 compliant cookie */

    rfc2965 = apr_pstrcat(r->pool, name2, "=", val, ";", buffer,

                          attrs2 && *attrs2 ? attrs2 : DEFAULT_ATTRS, NULL);

    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00008) LOG_PREFIX

                  "user '%s' set cookie2: '%s'", r->user, rfc2965);

    /* write the cookie to the header table(s) provided */

    va_start(vp, maxage);

    while ((t = va_arg(vp, apr_table_t *))) {

        apr_table_addn(t, SET_COOKIE2, rfc2965);

    }

    va_end(vp);

    return APR_SUCCESS;

}

/**

 * Remove an RFC2109 compliant cookie.

 *

 * @param r The request

 * @param name The name of the cookie.

 */

AP_DECLARE(apr_status_t) ap_cookie_remove(request_rec * r, const char *name, const char *attrs, ...)

{

    apr_table_t *t;

    va_list vp;

    /* create RFC2109 compliant cookie */

    const char *rfc2109 = apr_pstrcat(r->pool, name, "=;Max-Age=0;",

                                attrs ? attrs : CLEAR_ATTRS, NULL);

    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00009) LOG_PREFIX

                  "user '%s' removed cookie: '%s'", r->user, rfc2109);

    /* write the cookie to the header table(s) provided */

    va_start(vp, attrs);

    while ((t = va_arg(vp, apr_table_t *))) {

        apr_table_addn(t, SET_COOKIE, rfc2109);

    }

    va_end(vp);

    return APR_SUCCESS;

}

/**

 * Remove an RFC2965 compliant cookie.

 *

 * @param r The request

 * @param name2 The name of the cookie.

 */

AP_DECLARE(apr_status_t) ap_cookie_remove2(request_rec * r, const char *name2, const char *attrs2, ...)

{

    apr_table_t *t;

    va_list vp;

    /* create RFC2965 compliant cookie */

    const char *rfc2965 = apr_pstrcat(r->pool, name2, "=;Max-Age=0;",

                                attrs2 ? attrs2 : CLEAR_ATTRS, NULL);

    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00010) LOG_PREFIX

                  "user '%s' removed cookie2: '%s'", r->user, rfc2965);

    /* write the cookie to the header table(s) provided */

    va_start(vp, attrs2);

    while ((t = va_arg(vp, apr_table_t *))) {

        apr_table_addn(t, SET_COOKIE2, rfc2965);

    }

    va_end(vp);

    return APR_SUCCESS;

}

/* Iterate through the cookies, isolate our cookie and then remove it.

 *

 * If our cookie appears two or more times, but with different values,

 * remove it twice and set the duplicated flag to true. Remove any

 * $path or other attributes following our cookie if present. If we end

 * up with an empty cookie, remove the whole header.

 */

static int extract_cookie_line(void *varg, const char *key, const char *val)

{

    ap_cookie_do *v = varg;

    char *last1, *last2;

    char *cookie = apr_pstrdup(v->r->pool, val);

    const char *name = apr_pstrcat(v->r->pool, v->name ? v->name : "", "=", NULL);

    apr_size_t len = strlen(name);

    const char *new_cookie = "";

    const char *comma = ",";

    char *next1;

    const char *semi = ";";

    char *next2;

    const char *sep = "";

    int cookies = 0;

    /* find the cookie called name */

    int eat = 0;

    next1 = apr_strtok(cookie, comma, &last1);

    while (next1) {

        next2 = apr_strtok(next1, semi, &last2);

        while (next2) {

            char *trim = next2;

            while (apr_isspace(*trim)) {

                trim++;

            }

            if (!strncmp(trim, name, len)) {

                if (v->encoded) {

                    if (strcmp(v->encoded, trim + len)) {

                        v->duplicated = 1;

                    }

                }

                v->encoded = apr_pstrdup(v->r->pool, trim + len);

                eat = 1;

            }

            else {

                if (*trim != '$') {

                    cookies++;

                    eat = 0;

                }

                if (!eat) {

                    new_cookie = apr_pstrcat(v->r->pool, new_cookie, sep, next2, NULL);

                }

            }

            next2 = apr_strtok(NULL, semi, &last2);

            sep = semi;

        }

        next1 = apr_strtok(NULL, comma, &last1);

        sep = comma;

    }

    /* any cookies left over? */

    if (cookies) {

        apr_table_addn(v->new_cookies, key, new_cookie);

    }

    return 1;

}

/**

 * Read a cookie called name, placing its value in val.

 *

 * Both the Cookie and Cookie2 headers are scanned for the cookie.

 *

 * If the cookie is duplicated, this function returns APR_EGENERAL. If found,

 * and if remove is non zero, the cookie will be removed from the headers, and

 * thus kept private from the backend.

 */

AP_DECLARE(apr_status_t) ap_cookie_read(request_rec * r, const char *name, const char **val,

                                        int remove)

{

    ap_cookie_do v;

    v.r = r;

    v.encoded = NULL;

    v.new_cookies = apr_table_make(r->pool, 10);

    v.duplicated = 0;

    v.name = name;

    apr_table_do(extract_cookie_line, &v, r->headers_in,

                 "Cookie", "Cookie2", NULL);

    if (v.duplicated) {

        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00011) LOG_PREFIX

         "client submitted cookie '%s' more than once: %s", v.name, r->uri);

        return APR_EGENERAL;

    }

    /* remove our cookie(s), and replace them */

    if (remove) {

        apr_table_unset(r->headers_in, "Cookie");

        apr_table_unset(r->headers_in, "Cookie2");

        r->headers_in = apr_table_overlay(r->pool, r->headers_in, v.new_cookies);

    }

    *val = v.encoded;

    return APR_SUCCESS;

}

/**

 * Sanity check a given string that it exists, is not empty,

 * and does not contain the special characters '=', ';' and '&'.

 *

 * It is used to sanity check the cookie names.

 */

AP_DECLARE(apr_status_t) ap_cookie_check_string(const char *string)

{

    if (!string || !*string || ap_strchr_c(string, '=') || ap_strchr_c(string, '&') ||

        ap_strchr_c(string, ';')) {

        return APR_EGENERAL;

    }

    return APR_SUCCESS;

}