release 2.4.16.10

complete case-insensitive protocol/hostname/domain-name comparisons

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

ChangeLog

@@ -1,3 +1,7 @@
+03/21/2025
+- core: complete case-insensitive protocol/hostname/domain-name comparisons
+- release 2.4.16.10
+
 03/20/2025
 - core: compare hostnames and domains in a case insensitive way in:
     oidc_request_check_cookie_domain

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.16.10dev],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.16.10],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

src/handle/request.c

@@ -57,7 +57,8 @@ apr_byte_t oidc_request_check_cookie_domain(request_rec *r, oidc_cfg_t *c, const
 	_oidc_memset(&r_uri, 0, sizeof(apr_uri_t));
 	apr_uri_parse(r->pool, original_url, &o_uri);
 	apr_uri_parse(r->pool, oidc_util_redirect_uri(r, c), &r_uri);
-	if ((_oidc_strnatcasecmp(o_uri.scheme, r_uri.scheme) != 0) && (_oidc_strcmp(r_uri.scheme, "https") == 0)) {
+	if ((_oidc_strnatcasecmp(o_uri.scheme, r_uri.scheme) != 0) &&
+	    (_oidc_strnatcasecmp(r_uri.scheme, "https") == 0)) {
 		oidc_error(r,
 			   "the URL scheme (%s) of the configured " OIDCRedirectURI
 			   " does not match the URL scheme of the URL being accessed (%s): the \"state\" and "
@@ -68,8 +69,8 @@ apr_byte_t oidc_request_check_cookie_domain(request_rec *r, oidc_cfg_t *c, const
 
 	if (oidc_cfg_cookie_domain_get(c) == NULL) {
 		if (_oidc_strnatcasecmp(o_uri.hostname, r_uri.hostname) != 0) {
-			char *p = _oidc_strstr(o_uri.hostname, r_uri.hostname);
-			if ((p == NULL) || (_oidc_strcmp(r_uri.hostname, p) != 0)) {
+			const char *p = oidc_util_strcasestr(o_uri.hostname, r_uri.hostname);
+			if ((p == NULL) || (_oidc_strnatcasecmp(r_uri.hostname, p) != 0)) {
 				oidc_error(r,
 					   "the URL hostname (%s) of the configured " OIDCRedirectURI
 					   " does not match the URL hostname of the URL being accessed (%s): the "

src/metrics.c

@@ -321,9 +321,9 @@ apr_byte_t oidc_metrics_is_valid_classname(apr_pool_t *pool, const char *name, c
 	*valid_names = apr_psprintf(pool, "%s%s%s", *valid_names ? *valid_names : "", *valid_names ? " | " : "",
 				    "claim.id_token.* | claim.userinfo.*");
 
-	return apr_table_get(names, name)
-		   ? TRUE
-		   : ((strstr(name, "claim.id_token.") != NULL) || (strstr(name, "claim.userinfo.") != NULL));
+	return apr_table_get(names, name) ? TRUE
+					  : ((_oidc_strstr(name, "claim.id_token.") != NULL) ||
+					     (_oidc_strstr(name, "claim.userinfo.") != NULL));
 }
 
 /*
@@ -643,7 +643,7 @@ static void oidc_metrics_store(server_rec *s) {
 			apr_hash_this(hi2, (const void **)&key, NULL, (void **)&counter_hash);
 
 			key = apr_pstrdup(s->process->pool, key);
-			p = strstr(key, ".");
+			p = _oidc_strstr(key, ".");
 			if (p == NULL) {
 				/* get or create the corresponding metric entry in the global metrics */
 				j_counter = json_object_get(j_counters, key);

src/mod_auth_openidc.c

@@ -899,19 +899,19 @@ apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg_t *c, const char
 		}
 	}
 
-	if ((uri.hostname == NULL) && (oidc_util_strcasestr(url, "/") != url)) {
+	if ((uri.hostname == NULL) && (_oidc_strstr(url, "/") != url)) {
 		*err_str = apr_pstrdup(r->pool, "Malformed URL");
 		*err_desc = apr_psprintf(
 		    r->pool, "No hostname was parsed and it does not seem to be relative, i.e starting with '/': %s",
 		    url);
 		oidc_error(r, "%s: %s", *err_str, *err_desc);
 		return FALSE;
-	} else if ((uri.hostname == NULL) && (oidc_util_strcasestr(url, "//") == url)) {
+	} else if ((uri.hostname == NULL) && (_oidc_strstr(url, "//") == url)) {
 		*err_str = apr_pstrdup(r->pool, "Malformed URL");
 		*err_desc = apr_psprintf(r->pool, "No hostname was parsed and starting with '//': %s", url);
 		oidc_error(r, "%s: %s", *err_str, *err_desc);
 		return FALSE;
-	} else if ((uri.hostname == NULL) && (oidc_util_strcasestr(url, "/\\") == url)) {
+	} else if ((uri.hostname == NULL) && (_oidc_strstr(url, "/\\") == url)) {
 		*err_str = apr_pstrdup(r->pool, "Malformed URL");
 		*err_desc = apr_psprintf(r->pool, "No hostname was parsed and starting with '/\\': %s", url);
 		oidc_error(r, "%s: %s", *err_str, *err_desc);
@@ -1429,7 +1429,7 @@ static int oidc_check_config_openid_openidc(server_rec *s, oidc_cfg_t *c) {
 		} else {
 			apr_uri_parse(s->process->pconf, oidc_cfg_provider_metadata_url_get(oidc_cfg_provider_get(c)),
 				      &r_uri);
-			if ((r_uri.scheme == NULL) || (_oidc_strcmp(r_uri.scheme, "https") != 0)) {
+			if ((r_uri.scheme == NULL) || (_oidc_strnatcasecmp(r_uri.scheme, "https") != 0)) {
 				oidc_swarn(s,
 					   "the URL scheme (%s) of the configured " OIDCProviderMetadataURL
 					   " SHOULD be \"https\" for security reasons!",
@@ -1448,7 +1448,7 @@ static int oidc_check_config_openid_openidc(server_rec *s, oidc_cfg_t *c) {
 
 	apr_uri_parse(s->process->pconf, oidc_cfg_redirect_uri_get(c), &r_uri);
 	if (!redirect_uri_is_relative) {
-		if (_oidc_strcmp(r_uri.scheme, "https") != 0) {
+		if (_oidc_strnatcasecmp(r_uri.scheme, "https") != 0) {
 			oidc_swarn(s,
 				   "the URL scheme (%s) of the configured " OIDCRedirectURI
 				   " SHOULD be \"https\" for security reasons (moreover: some Providers may reject "
@@ -1494,7 +1494,7 @@ static int oidc_check_config_oauth(server_rec *s, oidc_cfg_t *c) {
 
 	if (oidc_cfg_oauth_metadata_url_get(c) != NULL) {
 		apr_uri_parse(s->process->pconf, oidc_cfg_oauth_metadata_url_get(c), &r_uri);
-		if ((r_uri.scheme == NULL) || (_oidc_strcmp(r_uri.scheme, "https") != 0)) {
+		if ((r_uri.scheme == NULL) || (_oidc_strnatcasecmp(r_uri.scheme, "https") != 0)) {
 			oidc_swarn(s,
 				   "the URL scheme (%s) of the configured " OIDCOAuthServerMetadataURL
 				   " SHOULD be \"https\" for security reasons!",

src/util.c

@@ -662,7 +662,7 @@ static const char *oidc_util_current_url_scheme(const request_rec *r, oidc_hdr_x
 #endif
 	}
 	if ((scheme_str == NULL) ||
-	    ((_oidc_strcmp(scheme_str, "http") != 0) && (_oidc_strcmp(scheme_str, "https") != 0))) {
+	    ((_oidc_strnatcasecmp(scheme_str, "http") != 0) && (_oidc_strnatcasecmp(scheme_str, "https") != 0))) {
 		oidc_warn(r,
 			  "detected HTTP scheme \"%s\" is not \"http\" nor \"https\"; perhaps your reverse proxy "
 			  "passes a wrongly configured \"%s\" header: falling back to default \"https\"",
@@ -752,9 +752,9 @@ static const char *oidc_get_current_url_port(const request_rec *r, const char *s
 	 * determine the port locally and don't print it when it's the default for the protocol
 	 */
 	const apr_port_t port = r->connection->local_addr->port;
-	if ((_oidc_strcmp(scheme_str, "https") == 0) && port == 443)
+	if ((_oidc_strnatcasecmp(scheme_str, "https") == 0) && port == 443)
 		return NULL;
-	else if ((_oidc_strcmp(scheme_str, "http") == 0) && port == 80)
+	else if ((_oidc_strnatcasecmp(scheme_str, "http") == 0) && port == 80)
 		return NULL;
 
 	port_str = apr_psprintf(r->pool, "%u", port);