From 610006d4252ce69fdf6d64c681b81f542e6d5c94 Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Mon, 28 Mar 2011 14:12:43 +0200 Subject: [PATCH] Fix infinite redirect loop. Handle the edge case where gateway-ing is enabled, the upstream CAS session has expired but the client still sends a MOD_AUTH_CAS cookie. If we redirect to the CAS server with a query string of "service=request_uri&gateway=true", we'd create an infinite loop. See https://issues.jasig.org/browse/MAS-52 --- src/mod_auth_cas.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/mod_auth_cas.c b/src/mod_auth_cas.c index 63c40bc..5c94d63 100644 --- a/src/mod_auth_cas.c +++ b/src/mod_auth_cas.c @@ -1910,7 +1910,7 @@ int cas_authenticate(request_rec *r) apr_byte_t parametersRemoved = FALSE; apr_port_t port = r->connection->local_addr->port; apr_byte_t printPort = FALSE; - + apr_byte_t gatewayEnabled = FALSE; char *newLocation = NULL; /* Do nothing if we are not the authenticator */ @@ -1942,8 +1942,11 @@ int cas_authenticate(request_rec *r) if(ticket != NULL) parametersRemoved = removeCASParams(r); + if(d->CASGateway != NULL) + gatewayEnabled = strncmp(d->CASGateway, r->parsed_uri.path, strlen(d->CASGateway)) == 0; + /* first, handle the gateway case */ - if(d->CASGateway != NULL && strncmp(d->CASGateway, r->parsed_uri.path, strlen(d->CASGateway)) == 0 && ticket == NULL && cookieString == NULL) { + if(gatewayEnabled == TRUE && ticket == NULL && cookieString == NULL) { cookieString = getCASCookie(r, d->CASGatewayCookie); if(cookieString == NULL) { /* they have not made a gateway trip yet */ if(c->CASDebug) @@ -2058,6 +2061,13 @@ int cas_authenticate(request_rec *r) } } return OK; + } else if(gatewayEnabled == TRUE) { + /* Handle the edge case where gateway-ing is enabled, the upstream CAS session has expired + * but the client still sends a MOD_AUTH_CAS cookie. If we redirect to the CAS server with + * "service=request_uri&gateway=true", we'd create an infinite loop. + */ + r->main = NULL; + return OK; } else { /* maybe the cookie expired, have the user get a new service ticket */ redirectRequest(r, c);