diff -Nru libapache2-authcookie-perl-3.28/Changes libapache2-authcookie-perl-3.30/Changes --- libapache2-authcookie-perl-3.28/Changes 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/Changes 2020-04-14 15:36:57.000000000 +0000 @@ -1,5 +1,21 @@ Revision history for Apache::AuthCookie +3.30 2020-04-14 + - Fix logic error for EnforceLocalDestination + - Add a bunch of tests to cover all scenarios of EnforceLocalDestination and + DefaultDestination + +3.29 2020-03-22 + - Add optional support for enforcing a local destination, like so: + + PerlSetVar MyAuthEnforceLocalDestination 1 + + - Add optional support for specifying a default destination when the login + form's destination argument is unspecified or invalid (including + non-local if local destinations are enforced), like this: + + PerlSetVar MyAuthDefaultDestination /protected/user/ + 3.28 2019-11-19 - Add support for SameSite cookie property (can be strict/lax). - Minor POD updates. diff -Nru libapache2-authcookie-perl-3.28/debian/changelog libapache2-authcookie-perl-3.30/debian/changelog --- libapache2-authcookie-perl-3.28/debian/changelog 2019-12-01 17:01:29.000000000 +0000 +++ libapache2-authcookie-perl-3.30/debian/changelog 2020-04-16 16:18:53.000000000 +0000 @@ -1,3 +1,19 @@ +libapache2-authcookie-perl (3.30-1) unstable; urgency=medium + + * Team upload. + * Import upstream version 3.30. + + -- gregor herrmann Thu, 16 Apr 2020 18:18:53 +0200 + +libapache2-authcookie-perl (3.29-1) unstable; urgency=medium + + * Team upload. + * Import upstream version 3.29. + * Update runtime dependencies. + * Declare compliance with Debian Policy 4.5.0. + + -- gregor herrmann Thu, 26 Mar 2020 21:03:57 +0100 + libapache2-authcookie-perl (3.28-1) unstable; urgency=medium * Team upload diff -Nru libapache2-authcookie-perl-3.28/debian/control libapache2-authcookie-perl-3.30/debian/control --- libapache2-authcookie-perl-3.28/debian/control 2019-12-01 17:01:29.000000000 +0000 +++ libapache2-authcookie-perl-3.30/debian/control 2020-04-16 16:18:53.000000000 +0000 @@ -14,7 +14,7 @@ liburi-perl , libwww-form-urlencoded-perl , perl -Standards-Version: 4.4.1 +Standards-Version: 4.5.0 Vcs-Browser: https://salsa.debian.org/perl-team/modules/packages/libapache2-authcookie-perl Vcs-Git: https://salsa.debian.org/perl-team/modules/packages/libapache2-authcookie-perl.git Homepage: https://metacpan.org/release/Apache-AuthCookie @@ -28,6 +28,7 @@ libclass-load-perl, libhash-multivalue-perl, libhttp-body-perl, + liburi-perl, libwww-form-urlencoded-perl Description: Perl Authentication and Authorization via cookies This module is for mod_perl version 2. If you are running mod_perl version 1, diff -Nru libapache2-authcookie-perl-3.28/lib/Apache/AuthCookie/FAQ.pod libapache2-authcookie-perl-3.30/lib/Apache/AuthCookie/FAQ.pod --- libapache2-authcookie-perl-3.28/lib/Apache/AuthCookie/FAQ.pod 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/lib/Apache/AuthCookie/FAQ.pod 2020-04-14 15:36:57.000000000 +0000 @@ -17,7 +17,7 @@ =head1 VERSION -version 3.28 +version 3.30 =head1 DESCRIPTION diff -Nru libapache2-authcookie-perl-3.28/lib/Apache/AuthCookie/Params/Base.pm libapache2-authcookie-perl-3.30/lib/Apache/AuthCookie/Params/Base.pm --- libapache2-authcookie-perl-3.28/lib/Apache/AuthCookie/Params/Base.pm 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/lib/Apache/AuthCookie/Params/Base.pm 2020-04-14 15:36:57.000000000 +0000 @@ -1,5 +1,5 @@ package Apache::AuthCookie::Params::Base; -$Apache::AuthCookie::Params::Base::VERSION = '3.28'; +$Apache::AuthCookie::Params::Base::VERSION = '3.30'; # ABSTRACT: Internal CGI AuthCookie Params Base Class use strict; @@ -57,7 +57,7 @@ =head1 VERSION -version 3.28 +version 3.30 =head1 SYNOPSIS diff -Nru libapache2-authcookie-perl-3.28/lib/Apache/AuthCookie/Params/CGI.pm libapache2-authcookie-perl-3.30/lib/Apache/AuthCookie/Params/CGI.pm --- libapache2-authcookie-perl-3.28/lib/Apache/AuthCookie/Params/CGI.pm 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/lib/Apache/AuthCookie/Params/CGI.pm 2020-04-14 15:36:57.000000000 +0000 @@ -1,5 +1,5 @@ package Apache::AuthCookie::Params::CGI; -$Apache::AuthCookie::Params::CGI::VERSION = '3.28'; +$Apache::AuthCookie::Params::CGI::VERSION = '3.30'; # ABSTRACT: Internal CGI Params Subclass use strict; @@ -182,7 +182,7 @@ =head1 VERSION -version 3.28 +version 3.30 =head1 SYNOPSIS diff -Nru libapache2-authcookie-perl-3.28/lib/Apache/AuthCookie/Params.pm libapache2-authcookie-perl-3.30/lib/Apache/AuthCookie/Params.pm --- libapache2-authcookie-perl-3.28/lib/Apache/AuthCookie/Params.pm 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/lib/Apache/AuthCookie/Params.pm 2020-04-14 15:36:57.000000000 +0000 @@ -1,5 +1,5 @@ package Apache::AuthCookie::Params; -$Apache::AuthCookie::Params::VERSION = '3.28'; +$Apache::AuthCookie::Params::VERSION = '3.30'; # ABSTRACT: AuthCookie Params Driver for mod_perl 1.x use strict; @@ -42,7 +42,7 @@ =head1 VERSION -version 3.28 +version 3.30 =head1 SYNOPSIS diff -Nru libapache2-authcookie-perl-3.28/lib/Apache/AuthCookie/Util.pm libapache2-authcookie-perl-3.30/lib/Apache/AuthCookie/Util.pm --- libapache2-authcookie-perl-3.28/lib/Apache/AuthCookie/Util.pm 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/lib/Apache/AuthCookie/Util.pm 2020-04-14 15:36:57.000000000 +0000 @@ -1,12 +1,15 @@ package Apache::AuthCookie::Util; -$Apache::AuthCookie::Util::VERSION = '3.28'; +$Apache::AuthCookie::Util::VERSION = '3.30'; # ABSTRACT: Internal Utility Functions for AuthCookie use strict; use base 'Exporter'; +use URI; -our @EXPORT_OK = qw(is_blank); - +our @EXPORT_OK = qw( + is_blank + is_local_destination +); sub expires { my($time,$format) = @_; @@ -92,6 +95,33 @@ return defined $_[0] && ($_[0] =~ /\S/) ? 0 : 1; } +# returns true if the given value looks like a local destination +sub is_local_destination { + my ($destination, $current_uri) = @_; + + # blank location is not considered "local" + return 0 if is_blank($destination); + + # If the location does not start with a scheme or is not protocol relative, + # then the location is local. + # Scheme is defined in RFC 3986 as: + # ALPHA *( ALPHA / DIGIT / "+" / "-" / "." ) + return 1 if $destination !~ m|^ (?: [a-z] [a-z0-9+-.]* :)? //|ix; + + # Otherwise it is an absolute URL, but it might still be local to the + # current request, so we need to account for that. + $current_uri = URI->new($current_uri) or return 0; + my $destination_uri = URI->new($destination) or return 0; + + # If the current URI and the destination have same scheme, host, and port, + # then the URL is local + return 1 if lc($current_uri->scheme) eq lc($destination_uri->scheme) + and lc($current_uri->host) eq lc($destination_uri->host) + and $current_uri->port == $destination_uri->port; + + return 0; +} + 1; __END__ @@ -106,7 +136,7 @@ =head1 VERSION -version 3.28 +version 3.30 =head1 DESCRIPTION diff -Nru libapache2-authcookie-perl-3.28/lib/Apache/AuthCookie.pm libapache2-authcookie-perl-3.30/lib/Apache/AuthCookie.pm --- libapache2-authcookie-perl-3.28/lib/Apache/AuthCookie.pm 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/lib/Apache/AuthCookie.pm 2020-04-14 15:36:57.000000000 +0000 @@ -1,5 +1,5 @@ package Apache::AuthCookie; -$Apache::AuthCookie::VERSION = '3.28'; +$Apache::AuthCookie::VERSION = '3.30'; # ABSTRACT: Perl Authentication and Authorization via cookies use strict; @@ -8,8 +8,9 @@ use mod_perl qw(1.07 StackedHandlers MethodHandlers Authen Authz); use Apache::Constants qw(:common M_GET FORBIDDEN OK REDIRECT); use Apache::AuthCookie::Params; -use Apache::AuthCookie::Util qw(is_blank); +use Apache::AuthCookie::Util qw(is_blank is_local_destination); use Apache::Util qw(escape_uri); +use Apache::URI; use Encode (); @@ -201,10 +202,36 @@ $self->_convert_to_get($r) if $r->method eq 'POST'; - unless (defined $params->param('destination')) { - $r->log_error("No key 'destination' found in form data"); - $r->subprocess_env('AuthCookieReason', 'no_cookie'); - return $auth_type->login_form; + my $destination = $params->param('destination'); + my $default_destination = $r->dir_config("${auth_name}DefaultDestination"); + + if (is_blank($destination)) { + if (!is_blank($default_destination)) { + $destination = $default_destination; + $r->log_error("destination set to $destination"); + } + else { + $r->log_error("No key 'destination' found in form data"); + $r->subprocess_env('AuthCookieReason', 'no_cookie'); + return $auth_type->login_form; + } + } + + if ($r->dir_config("${auth_name}EnforceLocalDestination")) { + my $current_url = Apache::URI->parse($r)->unparse; + unless (is_local_destination($destination, $current_url)) { + $r->log_error("non-local destination $destination detected for uri ",$r->uri); + + if (is_local_destination($default_destination, $current_url)) { + $destination = $default_destination; + $r->log_error("destination changed to $destination"); + } + else { + $r->log_error("Returning login form: non local destination: $destination"); + $r->subprocess_env('AuthCookieReason', 'no_cookie'); + return $auth_type->login_form($r); + } + } } # Get the credentials from the data posted by the client @@ -224,7 +251,7 @@ unless ($ses_key) { $r->log_error("Bad credentials") if $debug >= 2; $r->subprocess_env('AuthCookieReason', 'bad_credentials'); - $r->uri($self->untaint_destination($params->param('destination'))); + $r->uri($self->untaint_destination($destination)); return $auth_type->login_form; } @@ -241,8 +268,7 @@ $self->handle_cache; - $r->header_out( - "Location" => $self->untaint_destination($params->param('destination'))); + $r->header_out(Location => $self->untaint_destination($destination)); return REDIRECT; } @@ -643,7 +669,7 @@ =head1 VERSION -version 3.28 +version 3.30 =head1 SYNOPSIS @@ -691,6 +717,14 @@ # of this should be PerlSetVar WhatEverP3P "CP=\"...\"" + # optional: enforce that the destination argument from the login form is + # local to the server + PerlSetVar WhatEverEnforceLocalDestination 1 + + # optional: specify a default destination for when the destination argument + # of the login form is invalid or unspecified + PerlSetVar WhatEverDefaultDestination /protected/user/ + # These documents require user to be logged in. AuthType Sample::Apache::AuthCookieHandler diff -Nru libapache2-authcookie-perl-3.28/lib/Apache2/AuthCookie/Base.pm libapache2-authcookie-perl-3.30/lib/Apache2/AuthCookie/Base.pm --- libapache2-authcookie-perl-3.28/lib/Apache2/AuthCookie/Base.pm 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/lib/Apache2/AuthCookie/Base.pm 2020-04-14 15:36:57.000000000 +0000 @@ -1,18 +1,19 @@ package Apache2::AuthCookie::Base; -$Apache2::AuthCookie::Base::VERSION = '3.28'; +$Apache2::AuthCookie::Base::VERSION = '3.30'; # ABSTRACT: Common Methods Shared by Apache2 and Apache2_4 AuthCookie Subclasses. use strict; use mod_perl2 '1.99022'; use Carp; -use Apache::AuthCookie::Util qw(is_blank); +use Apache::AuthCookie::Util qw(is_blank is_local_destination); use Apache2::AuthCookie::Params; use Apache2::RequestRec; use Apache2::RequestUtil; use Apache2::Log; use Apache2::Access; use Apache2::Response; +use Apache2::URI; use Apache2::Util; use APR::Table; use Apache2::Const qw(OK DECLINED SERVER_ERROR M_GET HTTP_FORBIDDEN HTTP_MOVED_TEMPORARILY HTTP_OK); @@ -268,10 +269,36 @@ $self->_convert_to_get($r); } - unless (defined $params->param('destination')) { - $r->server->log_error("No key 'destination' found in form data"); - $r->subprocess_env('AuthCookieReason', 'no_cookie'); - return $auth_type->login_form($r); + my $default_destination = $r->dir_config("${auth_name}DefaultDestination"); + my $destination = $params->param('destination'); + + if (is_blank($destination)) { + if (!is_blank($default_destination)) { + $destination = $default_destination; + $r->server->log_error("destination set to $destination"); + } + else { + $r->server->log_error("No key 'destination' found in form data"); + $r->subprocess_env('AuthCookieReason', 'no_cookie'); + return $auth_type->login_form($r); + } + } + + if ($r->dir_config("${auth_name}EnforceLocalDestination")) { + my $current_url = $r->construct_url; + unless (is_local_destination($destination, $current_url)) { + $r->server->log_error("non-local destination $destination detected for uri ",$r->uri); + + if (is_local_destination($default_destination, $current_url)) { + $destination = $default_destination; + $r->server->log_error("destination changed to $destination"); + } + else { + $r->server->log_error("Returning login form: non local destination: $destination"); + $r->subprocess_env('AuthCookieReason', 'no_cookie'); + return $auth_type->login_form($r); + } + } } # Get the credentials from the data posted by the client @@ -291,7 +318,7 @@ unless ($ses_key) { $r->server->log_error("Bad credentials") if $debug >= 2; $r->subprocess_env('AuthCookieReason', 'bad_credentials'); - $r->uri($self->untaint_destination($params->param('destination'))); + $r->uri($self->untaint_destination($destination)); return $auth_type->login_form($r); } @@ -305,11 +332,11 @@ $self->handle_cache($r); if ($debug >= 2) { - $r->server->log_error("redirect to ", $params->param('destination')); + $r->server->log_error("redirect to $destination"); } $r->headers_out->set( - "Location" => $self->untaint_destination($params->param('destination'))); + "Location" => $self->untaint_destination($destination)); return HTTP_MOVED_TEMPORARILY; } @@ -541,7 +568,7 @@ =head1 VERSION -version 3.28 +version 3.30 =head1 DESCRIPTION diff -Nru libapache2-authcookie-perl-3.28/lib/Apache2/AuthCookie/Params.pm libapache2-authcookie-perl-3.30/lib/Apache2/AuthCookie/Params.pm --- libapache2-authcookie-perl-3.28/lib/Apache2/AuthCookie/Params.pm 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/lib/Apache2/AuthCookie/Params.pm 2020-04-14 15:36:57.000000000 +0000 @@ -1,5 +1,5 @@ package Apache2::AuthCookie::Params; -$Apache2::AuthCookie::Params::VERSION = '3.28'; +$Apache2::AuthCookie::Params::VERSION = '3.30'; # ABSTRACT: AuthCookie Params Driver for mod_perl 2.x use strict; @@ -42,7 +42,7 @@ =head1 VERSION -version 3.28 +version 3.30 =head1 SYNOPSIS diff -Nru libapache2-authcookie-perl-3.28/lib/Apache2/AuthCookie.pm libapache2-authcookie-perl-3.30/lib/Apache2/AuthCookie.pm --- libapache2-authcookie-perl-3.28/lib/Apache2/AuthCookie.pm 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/lib/Apache2/AuthCookie.pm 2020-04-14 15:36:57.000000000 +0000 @@ -1,5 +1,5 @@ package Apache2::AuthCookie; -$Apache2::AuthCookie::VERSION = '3.28'; +$Apache2::AuthCookie::VERSION = '3.30'; # ABSTRACT: Perl Authentication and Authorization via cookies use strict; @@ -118,7 +118,7 @@ =head1 VERSION -version 3.28 +version 3.30 =head1 SYNOPSIS @@ -176,6 +176,14 @@ # optional: enable decoding of httpd.conf "Requires" directives PerlSetVar WhatEverRequiresEncoding UTF-8 + # optional: enforce that the destination argument from the login form is + # local to the server + PerlSetVar WhatEverEnforceLocalDestination 1 + + # optional: specify a default destination for when the destination argument + # of the login form is invalid or unspecified + PerlSetVar WhatEverDefaultDestination /protected/user/ + # These documents require user to be logged in. AuthType Sample::Apache2::AuthCookieHandler diff -Nru libapache2-authcookie-perl-3.28/lib/Apache2_4/AuthCookie.pm libapache2-authcookie-perl-3.30/lib/Apache2_4/AuthCookie.pm --- libapache2-authcookie-perl-3.28/lib/Apache2_4/AuthCookie.pm 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/lib/Apache2_4/AuthCookie.pm 2020-04-14 15:36:57.000000000 +0000 @@ -1,5 +1,5 @@ package Apache2_4::AuthCookie; -$Apache2_4::AuthCookie::VERSION = '3.28'; +$Apache2_4::AuthCookie::VERSION = '3.30'; # ABSTRACT: Perl Authentication and Authorization via cookies for Apache 2.4 use strict; @@ -60,7 +60,7 @@ =head1 VERSION -version 3.28 +version 3.30 =head1 SYNOPSIS diff -Nru libapache2-authcookie-perl-3.28/Makefile.PL libapache2-authcookie-perl-3.30/Makefile.PL --- libapache2-authcookie-perl-3.28/Makefile.PL 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/Makefile.PL 2020-04-14 15:36:57.000000000 +0000 @@ -32,12 +32,13 @@ "HTTP::Body" => 0, "Hash::MultiValue" => 0, "Test::More" => "0.94", + "URI" => "1.36", "WWW::Form::UrlEncoded" => 0 }, "TEST_REQUIRES" => { "URI::Escape" => "1.31" }, - "VERSION" => "3.28", + "VERSION" => "3.30", "clean" => { "FILES" => [ "t/TEST" @@ -55,6 +56,7 @@ "HTTP::Body" => 0, "Hash::MultiValue" => 0, "Test::More" => "0.94", + "URI" => "1.36", "URI::Escape" => "1.31", "WWW::Form::UrlEncoded" => 0 ); diff -Nru libapache2-authcookie-perl-3.28/MANIFEST libapache2-authcookie-perl-3.30/MANIFEST --- libapache2-authcookie-perl-3.28/MANIFEST 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/MANIFEST 2020-04-14 15:36:57.000000000 +0000 @@ -20,7 +20,11 @@ lib/Apache2/AuthCookie/Base.pm lib/Apache2/AuthCookie/Params.pm lib/Apache2_4/AuthCookie.pm +scripts/docker-shell +scripts/docker-smoke +scripts/dzil-build scripts/perlbrew-smoke +scripts/run-docker-tests t/Skeleton/AuthCookieHandler.pm t/TEST.PL t/author-pod-syntax.t @@ -36,6 +40,8 @@ t/htdocs/docs/logout.pl t/htdocs/docs/myuser/get_me.html t/htdocs/docs/protected/echo_user.pl +t/htdocs/docs/protected/enforce-local/no-default/index.html +t/htdocs/docs/protected/enforce-local/with-default/index.html t/htdocs/docs/protected/get_me.html t/htdocs/docs/protected/index.html t/htdocs/docs/stimeout/get_me.html diff -Nru libapache2-authcookie-perl-3.28/MANIFEST.SKIP libapache2-authcookie-perl-3.30/MANIFEST.SKIP --- libapache2-authcookie-perl-3.28/MANIFEST.SKIP 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/MANIFEST.SKIP 2020-04-14 15:36:57.000000000 +0000 @@ -24,4 +24,5 @@ ^t/logs/ ^t/TEST$ ^t/SMOKE$ - +^travis-build$ +^.travis.yml$ diff -Nru libapache2-authcookie-perl-3.28/META.json libapache2-authcookie-perl-3.30/META.json --- libapache2-authcookie-perl-3.28/META.json 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/META.json 2020-04-14 15:36:57.000000000 +0000 @@ -23,6 +23,7 @@ "develop" : { "requires" : { "Dist::Zilla" : "5", + "Dist::Zilla::Plugin::Git::Push" : "0", "Dist::Zilla::Plugin::Prereqs" : "0", "Dist::Zilla::PluginBundle::ApacheTest" : "0", "Dist::Zilla::PluginBundle::Filter" : "0", @@ -43,6 +44,7 @@ "HTTP::Body" : "0", "Hash::MultiValue" : "0", "Test::More" : "0.94", + "URI" : "1.36", "WWW::Form::UrlEncoded" : "0" } }, @@ -55,39 +57,39 @@ "provides" : { "Apache2::AuthCookie" : { "file" : "lib/Apache2/AuthCookie.pm", - "version" : "3.28" + "version" : "3.30" }, "Apache2::AuthCookie::Base" : { "file" : "lib/Apache2/AuthCookie/Base.pm", - "version" : "3.28" + "version" : "3.30" }, "Apache2::AuthCookie::Params" : { "file" : "lib/Apache2/AuthCookie/Params.pm", - "version" : "3.28" + "version" : "3.30" }, "Apache2_4::AuthCookie" : { "file" : "lib/Apache2_4/AuthCookie.pm", - "version" : "3.28" + "version" : "3.30" }, "Apache::AuthCookie" : { "file" : "lib/Apache/AuthCookie.pm", - "version" : "3.28" + "version" : "3.30" }, "Apache::AuthCookie::Params" : { "file" : "lib/Apache/AuthCookie/Params.pm", - "version" : "3.28" + "version" : "3.30" }, "Apache::AuthCookie::Params::Base" : { "file" : "lib/Apache/AuthCookie/Params/Base.pm", - "version" : "3.28" + "version" : "3.30" }, "Apache::AuthCookie::Params::CGI" : { "file" : "lib/Apache/AuthCookie/Params/CGI.pm", - "version" : "3.28" + "version" : "3.30" }, "Apache::AuthCookie::Util" : { "file" : "lib/Apache/AuthCookie/Util.pm", - "version" : "3.28" + "version" : "3.30" } }, "release_status" : "stable", @@ -102,7 +104,7 @@ "web" : "https://github.com/mschout/apache-authcookie" } }, - "version" : "3.28", + "version" : "3.30", "x_generated_by_perl" : "v5.26.2", "x_serialization_backend" : "Cpanel::JSON::XS version 4.04" } diff -Nru libapache2-authcookie-perl-3.28/META.yml libapache2-authcookie-perl-3.30/META.yml --- libapache2-authcookie-perl-3.28/META.yml 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/META.yml 2020-04-14 15:36:57.000000000 +0000 @@ -17,31 +17,31 @@ provides: Apache2::AuthCookie: file: lib/Apache2/AuthCookie.pm - version: '3.28' + version: '3.30' Apache2::AuthCookie::Base: file: lib/Apache2/AuthCookie/Base.pm - version: '3.28' + version: '3.30' Apache2::AuthCookie::Params: file: lib/Apache2/AuthCookie/Params.pm - version: '3.28' + version: '3.30' Apache2_4::AuthCookie: file: lib/Apache2_4/AuthCookie.pm - version: '3.28' + version: '3.30' Apache::AuthCookie: file: lib/Apache/AuthCookie.pm - version: '3.28' + version: '3.30' Apache::AuthCookie::Params: file: lib/Apache/AuthCookie/Params.pm - version: '3.28' + version: '3.30' Apache::AuthCookie::Params::Base: file: lib/Apache/AuthCookie/Params/Base.pm - version: '3.28' + version: '3.30' Apache::AuthCookie::Params::CGI: file: lib/Apache/AuthCookie/Params/CGI.pm - version: '3.28' + version: '3.30' Apache::AuthCookie::Util: file: lib/Apache/AuthCookie/Util.pm - version: '3.28' + version: '3.30' recommends: WWW::Form::UrlEncoded::XS: '0' requires: @@ -51,11 +51,12 @@ HTTP::Body: '0' Hash::MultiValue: '0' Test::More: '0.94' + URI: '1.36' WWW::Form::UrlEncoded: '0' resources: bugtracker: https://github.com/mschout/apache-authcookie/issues homepage: https://github.com/mschout/apache-authcookie repository: https://github.com/mschout/apache-authcookie.git -version: '3.28' +version: '3.30' x_generated_by_perl: v5.26.2 x_serialization_backend: 'YAML::Tiny version 1.73' diff -Nru libapache2-authcookie-perl-3.28/scripts/docker-shell libapache2-authcookie-perl-3.30/scripts/docker-shell --- libapache2-authcookie-perl-3.28/scripts/docker-shell 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-authcookie-perl-3.30/scripts/docker-shell 2020-04-14 15:36:57.000000000 +0000 @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +set -eo pipefail + +DOCKER_IMAGE=$1 + +if [ -z "$DOCKER_IMAGE" ]; then + echo "Usage: $0 docker-image-tag" + exit 1 +fi + +cd $(dirname $0)/.. + +docker run --rm -v $PWD:/app -it $DOCKER_IMAGE bash diff -Nru libapache2-authcookie-perl-3.28/scripts/docker-smoke libapache2-authcookie-perl-3.30/scripts/docker-smoke --- libapache2-authcookie-perl-3.28/scripts/docker-smoke 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-authcookie-perl-3.30/scripts/docker-smoke 2020-04-14 15:36:57.000000000 +0000 @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +set -eo pipefail + +cd $(dirname $0)/.. + +cpanm -q --notest --installdeps . + +chown -R http:http . + +su -c 'perl Makefile.PL && make test' http diff -Nru libapache2-authcookie-perl-3.28/scripts/dzil-build libapache2-authcookie-perl-3.30/scripts/dzil-build --- libapache2-authcookie-perl-3.28/scripts/dzil-build 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-authcookie-perl-3.30/scripts/dzil-build 2020-04-14 15:36:57.000000000 +0000 @@ -0,0 +1,9 @@ +#!/bin/bash + +set -xeo pipefail + +cd $(dirname $0)/.. + +dzil authordeps --missing | cpanm -q --notest + +dzil build $* diff -Nru libapache2-authcookie-perl-3.28/scripts/run-docker-tests libapache2-authcookie-perl-3.30/scripts/run-docker-tests --- libapache2-authcookie-perl-3.28/scripts/run-docker-tests 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-authcookie-perl-3.30/scripts/run-docker-tests 2020-04-14 15:36:57.000000000 +0000 @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +IMAGES="\ + mschout/modperl:apache-1.3-perl-5.10-mp-1.32\ + mschout/modperl:apache-2.0.53-perl-5.14.4-mp-2.0.9\ + mschout/modperl:apache-2.2.31-perl-5.20.3-mp-2.0.9\ + mschout/modperl:apache-2.4.38-perl-5.20.3-mp-2.0.11\ +" + +set -eo pipefail + +builddir=$1 + +if [ -z "$builddir" ]; then + echo "Usage: $0 ./path/to/Apache-AuthCookie-X.YY" + exit 1 +fi + +test_in_docker_image() { + local docker_image=$1 + + echo ">>> Testing in image $docker_image" + docker run --rm -v $builddir:/app -it $docker_image /app/scripts/docker-smoke +} + +for image in $IMAGES; do + test_in_docker_image $image +done diff -Nru libapache2-authcookie-perl-3.28/SIGNATURE libapache2-authcookie-perl-3.30/SIGNATURE --- libapache2-authcookie-perl-3.28/SIGNATURE 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/SIGNATURE 2020-04-14 15:36:57.000000000 +0000 @@ -14,32 +14,36 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 -SHA1 fe72ac1f2889686a810cd2de3e09c3aefa7f52e7 Changes +SHA1 375a1955e84a3fa4818c3d7461bb3c5edf1cd60e Changes SHA1 cb36dd242de6d18cd64c4b55444347ebf09e43e7 LICENSE -SHA1 def2e0aaac81605fb2882534da78860f2f3a6d06 MANIFEST -SHA1 0ff75e1a6186d7274e76387884eca541fdd5ca4a MANIFEST.SKIP -SHA1 b3fb49bc74ad5ef515d5daaf288469a21eca0a1a META.json -SHA1 e52c3b60a1c1a46c197bbfbaab54d1cd1152e409 META.yml -SHA1 7e82961d4f23d5d33785c700d036b8c3b11f87ba Makefile.PL +SHA1 542696e08fe645aebe960ab6f83ce5637a120921 MANIFEST +SHA1 dcf4f2dbf2980048059f61a840b89bc7579b7bed MANIFEST.SKIP +SHA1 151de4b6221541d0d0100a6d36f1a87bace9e119 META.json +SHA1 a48643fb7bf77ea3afc1ffb3b7db4c7829c4b7a3 META.yml +SHA1 6418160ab4308442b78bae60945c1d2b6591313f Makefile.PL SHA1 b9945378262a25db34dcdba06da956a52876188b README SHA1 f9d2e5d4bcafb4b3d73b0a1f390aa25579cafbd2 README.apache-2.4.pod SHA1 ccbc46a0385aabadd1e6f4a22f8d4ebb11b44901 README.modperl2 -SHA1 e5b590c4028e31fc4e2e05d0d790c951505ca76c lib/Apache/AuthCookie.pm -SHA1 a5a155c7c1114bd1521b166fe2289b6d8defcc8f lib/Apache/AuthCookie/FAQ.pod -SHA1 5591f3a83dcfd292b018f8dcfd75d32378627468 lib/Apache/AuthCookie/Params.pm -SHA1 8b96d310e565562e1c131cdb2e9e97741aa82579 lib/Apache/AuthCookie/Params/Base.pm -SHA1 61d90732b1757078c17ac45199ca5e6797ab79eb lib/Apache/AuthCookie/Params/CGI.pm -SHA1 2e4d31e8fffef85465c6567ea7311dc515a058dc lib/Apache/AuthCookie/Util.pm -SHA1 4c9362a58bea52476dffda3a48d9d628ee61166a lib/Apache2/AuthCookie.pm -SHA1 6c515c233a85b35b208b6a0b77a6ebf2b694a871 lib/Apache2/AuthCookie/Base.pm -SHA1 026f7f258bb85168c4a8fcde905e58508728f397 lib/Apache2/AuthCookie/Params.pm -SHA1 33026bb4f30abe1d5a2afd8827dd6f4d6d1bcef7 lib/Apache2_4/AuthCookie.pm +SHA1 fc0708f4b4e74f2b3dcb8ca82409ff85360a3185 lib/Apache/AuthCookie.pm +SHA1 230cc7f97f735ad51defd14cbbb99a65afb2a671 lib/Apache/AuthCookie/FAQ.pod +SHA1 1487322b93fe2494c348b6cf47caa790f1250a71 lib/Apache/AuthCookie/Params.pm +SHA1 22b0ccea20bc7aebb74a14808eb3dd8243c06ece lib/Apache/AuthCookie/Params/Base.pm +SHA1 c545d90e446fea48500e5f6ae0190e7837d402a3 lib/Apache/AuthCookie/Params/CGI.pm +SHA1 8c8aef69590175ec89d2971002fb6068604b71aa lib/Apache/AuthCookie/Util.pm +SHA1 e346c43e215195b235a201bc5a7b7ed4f37bde93 lib/Apache2/AuthCookie.pm +SHA1 e2b0026242aec662b74bd9c25cdf70aae988b76e lib/Apache2/AuthCookie/Base.pm +SHA1 9e334ee16e5ce6d6b6a13d187fe3dad0d748dfbb lib/Apache2/AuthCookie/Params.pm +SHA1 14ecc1018b1164c9de41a32fc42fbc262371631b lib/Apache2_4/AuthCookie.pm +SHA1 e9a1441d3978e0c7f20373cdffde4e44059f1f59 scripts/docker-shell +SHA1 202ecf6a31c02ad029aa6e372ece61a935dd74bf scripts/docker-smoke +SHA1 fd937f1a4ab774883c703fb869c9108eabbce5f1 scripts/dzil-build SHA1 fee15f1cd6c3fe17e8370838aafe6d54bfd72611 scripts/perlbrew-smoke +SHA1 c3fe2ecbcdea18bfb66ee1b48cdc3120af6dff2d scripts/run-docker-tests SHA1 3ac8de46e7bba83f6969caec3c9c14cbd99881cb t/Skeleton/AuthCookieHandler.pm SHA1 b1f854e6edecbdd44fc7b8db719e0fe21d9340d1 t/TEST.PL SHA1 8efad25309730a4d501fb40fc03eda4697303372 t/author-pod-syntax.t SHA1 19cc343f8a85c6805bbeb02580487483a6283887 t/author-signature.t -SHA1 fa77f587d29613a40b627846db67d69442c11ac0 t/conf/extra.conf.in +SHA1 a6db6d6b6791f6b296c2b4da81ba6ba563c40375 t/conf/extra.conf.in SHA1 2156ea84b69ca7fef7b73d72a06c07cb145da7a9 t/htdocs/docs/authall/get_me.html SHA1 2156ea84b69ca7fef7b73d72a06c07cb145da7a9 t/htdocs/docs/authany/get_me.html SHA1 2156ea84b69ca7fef7b73d72a06c07cb145da7a9 t/htdocs/docs/cookiename/get_me.html @@ -50,30 +54,32 @@ SHA1 b9eca1b328da7d703abaec2d6a6d5751866843ac t/htdocs/docs/logout.pl SHA1 2156ea84b69ca7fef7b73d72a06c07cb145da7a9 t/htdocs/docs/myuser/get_me.html SHA1 b37a85d16cbb2342b407f2ba70b8a61aa1ca67bb t/htdocs/docs/protected/echo_user.pl +SHA1 24be947e7f5f765c02bab477dd47d0915e061bcf t/htdocs/docs/protected/enforce-local/no-default/index.html +SHA1 d767e693a331d021863a40f43f348ce688bae595 t/htdocs/docs/protected/enforce-local/with-default/index.html SHA1 2156ea84b69ca7fef7b73d72a06c07cb145da7a9 t/htdocs/docs/protected/get_me.html SHA1 077d964c9f67b5dfe4f5f6a73c71ccbd60bd03af t/htdocs/docs/protected/index.html SHA1 2156ea84b69ca7fef7b73d72a06c07cb145da7a9 t/htdocs/docs/stimeout/get_me.html SHA1 b17cdb6e4dfb752901c2a9df5ce822a2d54b92b5 t/lib/Sample/Apache/AuthCookieHandler.pm SHA1 9ba342e14a302d89f38ab063c56e5ae000a7595c t/lib/Sample/Apache2/AuthCookieHandler.pm SHA1 b19593e0dc51baa6a4d84bc27da2e53632ab8592 t/lib/Sample/Apache2_4/AuthCookieHandler.pm -SHA1 28df698c77347acf6a6957bef1483d0c01ad282a t/real.t +SHA1 b872739fede90854e5685bfb60ff9408cba73fc1 t/real.t SHA1 f0c37746e0277de1ddb62c9227628a5ebe5a777a t/signature.t SHA1 e91bf0ef7d63322eaf15ca7d9907c6db47ce90ca t/startup.pl SHA1 da33f704880ddd2596521c39be5b7b6a22913882 t/util.t -----BEGIN PGP SIGNATURE----- -iQJFBAEBCAAvFiEE2EtuRfhGgngE8PsARAzvLrlUzY4FAl3UDA8RHG1zY2hvdXRA -Y3Bhbi5vcmcACgkQRAzvLrlUzY4vYxAAgBF2GxUwOVraAgI7NOxMVMS0VTWMy0Je -ro/AsnjK2OwdA7RCcWzG3YT7QwElduROYLu5DkRrblibPjfiYGDs9J8Th5m7MLHp -jmDYjAFJEviEHn0sRl0YfLdmcC7BXxR6ypstJg5DRugjJ+ekBdWBSPH5KQ04iDa+ -xZD/kWwglSn3QL3Q9ySJ0NsTYKQTlCMmxW2hVZubMQfz8TWNmMJ+ChxHO48yjXhu -EHxVliK5ZC1eFSfuVD/UVjMIe/KSrYE5rr5Q9Bz8Nrf2BkDhCtIyvYs7is5v0Pki -VQqiXG4tbYfjBUP73F3kswCMtHu3o4LSGBUnsPZvc2suhm+YbLcvPJF53KFDXWe1 -9ebVC8D7wx5zmAsSm2yUnirxWls4IzBTwaYCPYfy1cllAhvLhoDVkE09qgpsuSdx -P8Tki1rZFcK1Zw8OsdALJIB0r/HZQHPRCPdmbR604+W2i/5ZTfyjNxE86ZrbQNVz -xrmlxN8BLsH7/ezSw1X2ZDoMQLPjANm0l60ElljgkkMK5reqvbnGatFzBgj7fNec -Oan7QAsf0ZXsh908apgBmNTMNG7KX0e2KHipeFN7E9g/wVq10MzAgKJq+PekZTty -FkonaTfafOzKNr2LtTadR0/hvepP7hc1e5KH0Gy7bHizZAom5D5l/jmtiZkjGGno -7wUilSo5T6s= -=Pnp+ +iQJFBAEBCAAvFiEE2EtuRfhGgngE8PsARAzvLrlUzY4FAl6V2JkRHG1zY2hvdXRA +Y3Bhbi5vcmcACgkQRAzvLrlUzY7/9Q/9Hk6EjLkTbl2gT/2i4bYPsmIu3IhNxaY8 +eWEEYR2+F3gsHmt4fEeKQiXtqQsJw7Vkd2AyvDmwvsBU0TWvW+TA4yWFFr0lEItE +TEsFcmm6P/7uvUqPj6AaCO95lLBwyAtOtEQ/wUdWw/EsgQcgcuYpY4x4loerZ5w/ +wL2an6FXUw7UgMKmnkG6nzWTvBQ7gsgTjVIBDal+QVSSE0Iar/CDdB0Y2m94BAPy +tOOUhkR0Vjdknq/QZcgZLLByknEWWtn1X5QqLiPR0sPHQlXTe9CTVICeWwdydtS8 ++tk1fXxxaTl801a7PMnpEtDvfJALQODh0SLgl/SZFE/UUnCnGuk/DWP33gjnjYEP ++10FqN6UaHSYp2FqQHGomWFXZhP0oNTJmyN9qaYrxeRgwF2wEZm/HD2rgkJBrDwR +2he6FR9382FBhOtjg1RNh7HPQWzKbrfExcqIlOgsnp85bn8zwr1Aztsw5tEAk6dc +HINFAOLqWnPdRGpioUDN7WRRNm5BRUZXzotvKB5I6RPT85NDeksuELtXdHPx0YSA +k9n0k8tQDBEZQ/VOkMc3nb6F/lg+298X9WErJLfCP3NLal4jan2iJwnsgE7u1DRw +kua420FkTafZQgbzmJHrTs11eGUPs/IwJwKNx3++oUqwWcsR0IktNBY9hjcG051N +Yg+R6gUlKPk= +=1BzL -----END PGP SIGNATURE----- diff -Nru libapache2-authcookie-perl-3.28/t/conf/extra.conf.in libapache2-authcookie-perl-3.30/t/conf/extra.conf.in --- libapache2-authcookie-perl-3.28/t/conf/extra.conf.in 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/t/conf/extra.conf.in 2020-04-14 15:36:57.000000000 +0000 @@ -239,6 +239,92 @@ + + AuthName WhatEver + SetHandler perl-script + PerlSetVar WhatEverDefaultDestination /docs/protected/index.html + + + AuthType Sample::Apache::AuthCookieHandler + PerlHandler Sample::Apache::AuthCookieHandler->login + + + + AuthType Sample::Apache2::AuthCookieHandler + + + AuthType Sample::Apache2_4::AuthCookieHandler + Require all granted + + PerlResponseHandler Sample::Apache2::AuthCookieHandler->login + + + + + AuthName WhatEver + SetHandler perl-script + PerlSetVar WhatEverEnforceLocalDestination On + PerlSetVar WhatEverDefaultDestination /docs/protected/index.html + + + AuthType Sample::Apache::AuthCookieHandler + PerlHandler Sample::Apache::AuthCookieHandler->login + + + + AuthType Sample::Apache2::AuthCookieHandler + + + AuthType Sample::Apache2_4::AuthCookieHandler + Require all granted + + PerlResponseHandler Sample::Apache2::AuthCookieHandler->login + + + + + AuthName WhatEver + SetHandler perl-script + PerlSetVar WhatEverEnforceLocalDestination On + PerlSetVar WhatEverDefaultDestination http://metacpan.org + + + AuthType Sample::Apache::AuthCookieHandler + PerlHandler Sample::Apache::AuthCookieHandler->login + + + + AuthType Sample::Apache2::AuthCookieHandler + + + AuthType Sample::Apache2_4::AuthCookieHandler + Require all granted + + PerlResponseHandler Sample::Apache2::AuthCookieHandler->login + + + + + AuthName WhatEver + SetHandler perl-script + PerlSetVar WhatEverEnforceLocalDestination On + + + AuthType Sample::Apache::AuthCookieHandler + PerlHandler Sample::Apache::AuthCookieHandler->login + + + + AuthType Sample::Apache2::AuthCookieHandler + + + AuthType Sample::Apache2_4::AuthCookieHandler + Require all granted + + PerlResponseHandler Sample::Apache2::AuthCookieHandler->login + + + # login action that sets HttpOnly PerlSetVar WhatEverHttpOnly On diff -Nru libapache2-authcookie-perl-3.28/t/htdocs/docs/protected/enforce-local/no-default/index.html libapache2-authcookie-perl-3.30/t/htdocs/docs/protected/enforce-local/no-default/index.html --- libapache2-authcookie-perl-3.28/t/htdocs/docs/protected/enforce-local/no-default/index.html 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-authcookie-perl-3.30/t/htdocs/docs/protected/enforce-local/no-default/index.html 2020-04-14 15:36:57.000000000 +0000 @@ -0,0 +1,9 @@ + + +Congratulations + + +

Congratulations, you got enforce-local/no-default/index.html

+

Log Out

+ + diff -Nru libapache2-authcookie-perl-3.28/t/htdocs/docs/protected/enforce-local/with-default/index.html libapache2-authcookie-perl-3.30/t/htdocs/docs/protected/enforce-local/with-default/index.html --- libapache2-authcookie-perl-3.28/t/htdocs/docs/protected/enforce-local/with-default/index.html 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-authcookie-perl-3.30/t/htdocs/docs/protected/enforce-local/with-default/index.html 2020-04-14 15:36:57.000000000 +0000 @@ -0,0 +1,9 @@ + + +Congratulations + + +

Congratulations, you got enforce-local/with-default/index.html

+

Log Out

+ + diff -Nru libapache2-authcookie-perl-3.28/t/real.t libapache2-authcookie-perl-3.30/t/real.t --- libapache2-authcookie-perl-3.28/t/real.t 2019-12-01 16:45:23.000000000 +0000 +++ libapache2-authcookie-perl-3.30/t/real.t 2020-04-14 15:36:57.000000000 +0000 @@ -13,13 +13,18 @@ use Apache::TestUtil; use Apache::TestRequest qw(GET POST GET_BODY); use Encode qw(encode); +use URI; Apache::TestRequest::user_agent( reset => 1, requests_redirectable => 0 ); -plan tests => 34, need_lwp; +plan tests => 39, need_lwp; ok 1, 'Test initialized'; +# extract the configured hostname + port from Apache::Test +my $apache_test_config = Apache::Test::config(); +my $host_port = Apache::TestRequest::hostport($apache_test_config); + # TODO: the test descriptions should be things other than 'test #' here. # check that /docs/index.html works. If this fails, the test environment did @@ -446,10 +451,10 @@ plan tests => 1; my $r = POST('/LOGIN', [ - destination => '">
Embedded Form
' + destination => '/">
Embedded Form
' ]); - like $r->content, qr{"%22%3E%3Cform method=%22post%22%3EEmbedded Form%3C/form%3E"}; + like $r->content, qr{"/%22%3E%3Cform method=%22post%22%3EEmbedded Form%3C/form%3E"}; }; # embedded script tags @@ -537,6 +542,168 @@ is $body, 'programmer'; }; +# Test DefaultDestination +subtest 'DefaultDestination' => sub { + plan tests => 1; + + my $r = POST('/LOGIN-WITHDEFAULT', [ + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + is($r->header('Location'), '/docs/protected/index.html', + 'redirected to default destination'); +}; + +subtest 'DefaultDestination' => sub { + plan tests => 3; + + my $r = POST('/LOGIN-WITHDEFAULT', [ + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + is($r->header('Location'), '/docs/protected/index.html', + 'redirected to default destination - no destination in params'); + + $r = POST('/LOGIN-WITHDEFAULT', [ + destination => 'http://metacpan.org/', + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + is($r->header('Location'), 'http://metacpan.org/', + 'redirected to remote default destination'); + + $r = POST('/LOGIN-WITHDEFAULT', [ + destination => '/docs/protected/get_me.html', + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + is($r->header('Location'), '/docs/protected/get_me.html', + 'redirected to requested local default destination'); +}; + +subtest 'EnforceLocalDestination with default destination' => sub { + plan tests => 5; + + my $r = POST('/LOGIN-ENFORCELOCAL-WITHDEFAULT', [ + destination => 'http://metacpan.org/', + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + is($r->header('Location'), '/docs/protected/index.html', + 'redirected to default destination - remote destination in params'); + + $r = POST('/LOGIN-ENFORCELOCAL-WITHDEFAULT', [ + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + is($r->header('Location'), '/docs/protected/index.html', + 'redirected to default destination - no destiantion in params'); + + $r = POST('/LOGIN-ENFORCELOCAL-WITHDEFAULT', [ + destination => '/docs/protected/get_me.html', + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + is($r->header('Location'), '/docs/protected/get_me.html', + 'redirected to requested local destination'); + + $r = POST('/LOGIN-ENFORCELOCAL-WITHDEFAULT', [ + destination => '//metacpan.org/index.html', + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + is($r->header('Location'), '/docs/protected/index.html', + 'redirected to default destination - protocol-relative destination in params'); + + my $abs_destination = URI->new("http://${host_port}/docs/protected/get_me.html")->as_string; + note "abs destination: $abs_destination"; + $r = POST('/LOGIN-ENFORCELOCAL-WITHDEFAULT', [ + destination => $abs_destination, + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + is($r->header('Location'), $abs_destination, + 'redirected to requested destination - absolute URI is local to current request'); +}; + +subtest 'EnforceLocalDestination with no default destination' => sub { + plan tests => 4; + + my $r = POST('/LOGIN-ENFORCELOCAL-NODEFAULT', [ + destination => 'http://metacpan.org/', + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + like($r->content, qr/Failure reason: 'no_cookie'/, + 'login form was returned for remote destination'); + + $r = POST('/LOGIN-ENFORCELOCAL-NODEFAULT', [ + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + like($r->content, qr/Failure reason: 'no_cookie'/, + 'login form was returned for no destination in params'); + + $r = POST('/LOGIN-ENFORCELOCAL-NODEFAULT', [ + destination => '/docs/protected/get_me.html', + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + is($r->header('Location'), '/docs/protected/get_me.html', + 'Got redirected to protected document for local destination'); + + $r = POST('/LOGIN-ENFORCELOCAL-NODEFAULT', [ + destination => '//metacpan.org/index.html', + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + like($r->content, qr/Failure reason: 'no_cookie'/, + 'login form was returned - protocol relative destination in params'); +}; + +subtest 'EnforceLocalDestination with non local default destination' => sub { + plan tests => 3; + + my $r = POST('/LOGIN-ENFORCELOCAL-REMOTEDEFAULT', [ + destination => "http://metacpan.org/", + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + like($r->content, qr/Failure reason: 'no_cookie'/, + 'login form was returned for non local destination'); + + $r = POST('/LOGIN-ENFORCELOCAL-REMOTEDEFAULT', [ + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + like($r->content, qr/Failure reason: 'no_cookie'/, + 'login form was returned for no destination in params'); + + $r = POST('/LOGIN-ENFORCELOCAL-REMOTEDEFAULT', [ + destination => '/docs/protected/get_me.html', + credential_0 => 'programmer', + credential_1 => 'Hero' + ]); + + is($r->header('Location'), '/docs/protected/get_me.html', + 'Got redirected to protected document for local destination'); +}; + # remove CR's from a string. Win32 apache apparently does line ending # conversion, and that can cause test cases to fail because output does not # match expected because expected has UNIX line endings, and OUTPUT has dos