From c7f44b0eebcb035396e093d28ba5541fc2581e91 Mon Sep 17 00:00:00 2001 From: zls0424 Date: Sat, 26 Jan 2019 00:25:42 +0800 Subject: [PATCH 1/2] fix bug in patten search; enable set in http scope; enable work with userid module --- README.md | 4 +- config | 1 + ngx_http_cookie_flag_filter_module.c | 74 +++++++++------------------- 3 files changed, 25 insertions(+), 54 deletions(-) diff --git a/README.md b/README.md index e8e71fc..b6a4567 100644 --- a/README.md +++ b/README.md @@ -54,9 +54,9 @@ It is possible to set a default value using symbol "*". In this case flags will --- | --- **Syntax** | **set_cookie_flag** \ [HttpOnly] [secure] [SameSite\|SameSite=[Lax\|Strict]]; **Default** | - -**Context** | server, location +**Context** | http, server, location Description: Add flag to desired cookie. ## Author -Anton Saraykin [] \ No newline at end of file +Anton Saraykin [] diff --git a/config b/config index 50e112c..09c3cff 100644 --- a/config +++ b/config @@ -4,6 +4,7 @@ if test -n "$ngx_module_link"; then ngx_module_type=HTTP_FILTER ngx_module_name=$ngx_addon_name ngx_module_srcs="$ngx_addon_dir/$ngx_addon_name.c" + ngx_module_order="$ngx_module_name ngx_http_userid_filter_module" . auto/module else diff --git a/ngx_http_cookie_flag_filter_module.c b/ngx_http_cookie_flag_filter_module.c index b0316aa..fd8fcf8 100644 --- a/ngx_http_cookie_flag_filter_module.c +++ b/ngx_http_cookie_flag_filter_module.c @@ -63,7 +63,7 @@ static ngx_command_t ngx_http_cookie_flag_filter_commands[] = { /* set cookie flag directive */ { ngx_string("set_cookie_flag"), - NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_1MORE, + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_1MORE, ngx_http_cookie_flag_filter_cmd, NGX_HTTP_LOC_CONF_OFFSET, 0, @@ -235,57 +235,27 @@ ngx_http_cookie_flag_filter_init(ngx_conf_t *cf) static ngx_int_t ngx_http_cookie_flag_filter_append(ngx_http_request_t *r, ngx_http_cookie_t *cookie, ngx_table_elt_t *header) { - ngx_str_t tmp; - - if (cookie->httponly == 1 && ngx_strcasestrn(header->value.data, "; HttpOnly", 10 - 1) == NULL) { - tmp.data = ngx_pnalloc(r->pool, header->value.len + sizeof("; HttpOnly") - 1); - if (tmp.data == NULL) { - return NGX_ERROR; - } - tmp.len = ngx_sprintf(tmp.data, "%V; HttpOnly", &header->value) - tmp.data; - header->value.data = tmp.data; - header->value.len = tmp.len; - } - - if (cookie->secure == 1 && ngx_strcasestrn(header->value.data, "; secure", 8 - 1) == NULL) { - tmp.data = ngx_pnalloc(r->pool, header->value.len + sizeof("; secure") - 1); - if (tmp.data == NULL) { - return NGX_ERROR; - } - tmp.len = ngx_sprintf(tmp.data, "%V; secure", &header->value) - tmp.data; - header->value.data = tmp.data; - header->value.len = tmp.len; - } - - if (cookie->samesite == 1 && ngx_strcasestrn(header->value.data, "; SameSite", 10 - 1) == NULL) { - tmp.data = ngx_pnalloc(r->pool, header->value.len + sizeof("; SameSite") - 1); - if (tmp.data == NULL) { - return NGX_ERROR; - } - tmp.len = ngx_sprintf(tmp.data, "%V; SameSite", &header->value) - tmp.data; - header->value.data = tmp.data; - header->value.len = tmp.len; - } - - if (cookie->samesite_lax == 1 && ngx_strcasestrn(header->value.data, "; SameSite=Lax", 14 - 1) == NULL) { - tmp.data = ngx_pnalloc(r->pool, header->value.len + sizeof("; SameSite=Lax") - 1); - if (tmp.data == NULL) { - return NGX_ERROR; - } - tmp.len = ngx_sprintf(tmp.data, "%V; SameSite=Lax", &header->value) - tmp.data; - header->value.data = tmp.data; - header->value.len = tmp.len; - } - - if (cookie->samesite_strict == 1 && ngx_strcasestrn(header->value.data, "; SameSite=Strict", 17 - 1) == NULL) { - tmp.data = ngx_pnalloc(r->pool, header->value.len + sizeof("; SameSite=Strict") - 1); - if (tmp.data == NULL) { - return NGX_ERROR; - } - tmp.len = ngx_sprintf(tmp.data, "%V; SameSite=Strict", &header->value) - tmp.data; - header->value.data = tmp.data; - header->value.len = tmp.len; - } + u_char *p, *last; + +#define NGX_CHECK_APPEND_COOKIE_FLAG(a, b) do { \ + last = header->value.data + header->value.len; \ + if (cookie->a == 1 && ngx_strlcasestrn(header->value.data, last, \ + (u_char *)b, sizeof(b) - 1) == NULL) { \ + p = ngx_pnalloc(r->pool, header->value.len + sizeof(b)); \ + if (p == NULL) { \ + return NGX_ERROR; \ + } \ + header->value.len = ngx_sprintf(p, "%V" b, &header->value) - p; \ + header->value.data = p; \ + p[header->value.len] = '\0'; \ + } \ +} while(0) + + NGX_CHECK_APPEND_COOKIE_FLAG(httponly, "; HttpOnly"); + NGX_CHECK_APPEND_COOKIE_FLAG(secure, "; secure"); + NGX_CHECK_APPEND_COOKIE_FLAG(samesite, "; SameSite"); + NGX_CHECK_APPEND_COOKIE_FLAG(samesite_lax, "; SameSite=Lax"); + NGX_CHECK_APPEND_COOKIE_FLAG(samesite_strict, "; SameSite=Strict"); return NGX_OK; } From 35961b301c541742c78eeb8747ab0c193c665aaa Mon Sep 17 00:00:00 2001 From: Lanshun Zhou Date: Thu, 31 Jan 2019 18:45:47 +0800 Subject: [PATCH 2/2] bug fix in cookie name check --- ngx_http_cookie_flag_filter_module.c | 36 +++++++++++++++------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/ngx_http_cookie_flag_filter_module.c b/ngx_http_cookie_flag_filter_module.c index fd8fcf8..28f978c 100644 --- a/ngx_http_cookie_flag_filter_module.c +++ b/ngx_http_cookie_flag_filter_module.c @@ -266,6 +266,7 @@ ngx_http_cookie_flag_filter_handler(ngx_http_request_t *r) ngx_http_cookie_flag_filter_loc_conf_t *flcf; ngx_http_cookie_t *cookie; ngx_uint_t i, j; + ngx_str_t *name; ngx_list_part_t *part; ngx_table_elt_t *header; @@ -301,26 +302,27 @@ ngx_http_cookie_flag_filter_handler(ngx_http_request_t *r) // for each security cookie we check whether preset it within Set-Cookie value. If not then we append. for (j = 0; j < flcf->cookies->nelts; j++) { + name = &cookie[j].cookie_name; - if (ngx_strncasecmp(cookie[j].cookie_name.data, (u_char *) "*", 1) != 0) { - // append "=" to the security cookie name. The result will be something like "cookie_name=" - char *cookie_name = ngx_pnalloc(r->pool, sizeof("=") - 1 + cookie[j].cookie_name.len); - if (cookie_name == NULL) { - return NGX_ERROR; + if (name->len != 1 || name->data[0] != '*') { + if (header[i].value.len <= name->len + sizeof("=") - 1) { + continue; + } + + if (ngx_strncasecmp(name->data, header[i].value.data, + name->len) != 0 || + header[i].value.data[name->len] != '=') + { + continue; } - strcpy(cookie_name, (char *) cookie[j].cookie_name.data); - strcat(cookie_name, "="); - - // if Set-Cookie contains a cookie from settings - if (ngx_strcasestrn(header[i].value.data, cookie_name, strlen(cookie_name) - 1) != NULL) { - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "filter http_cookie_flag - add flags for cookie \"%V\"", &cookie[j].cookie_name); - ngx_int_t res = ngx_http_cookie_flag_filter_append(r, &cookie[j], &header[i]); - if (res != NGX_OK) { - return NGX_ERROR; - } - break; // otherwise default value will be added + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "filter http_cookie_flag - add flags for cookie \"%V\"", name); + ngx_int_t res = ngx_http_cookie_flag_filter_append(r, &cookie[j], &header[i]); + if (res != NGX_OK) { + return NGX_ERROR; } - } else if (ngx_strncasecmp(cookie[j].cookie_name.data, (u_char *) "*", 1) == 0) { + break; // otherwise default value will be added + } else { ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "filter http_cookie_flag - add default cookie flags"); ngx_int_t res = ngx_http_cookie_flag_filter_append(r, &cookie[j], &header[i]); if (res != NGX_OK) {