Pass srcdump request parameter when redirecting etc. For most of CAF's purposes, the srcdump request parameter is not really for srcdump, since it is not related to authentication. Rather, it exists simply because we do not own the application path namespace. So when generating (or requesting) redirects etc. we should treat it as a form parameter relating to the application. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
srcdump: Introduce srcdump_needlogin option This makes it technically fairly straightforward to take advantage of the CAF Login Exception. In the resulting website the source download link is only present on the login page unless the application also provides such a link, but that link is functional after logging in and can easily be used by bookmarking the url or using multiple browser tabs. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Licence: Add copyright and licence statement to many files The licence (including exception) applies to the whole project, as would be expected. Document this. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk> Signed-off-by: Ian Jackson <ijackson@eu.citrix.com>
Licence: Provide CAF Login Exception With the current AGPLv3 licence, someone who deploys a modified CAF must make available their whole web application to all callers. This means that it is not possible to deploy a completely private web application using CAF. I don't think this is desirable. My intention in using the AGPLv3 is not to force everyone to publish their source code outside their user community. To put it another way: I want to flatten the power relationship between a website's users and its operators. But it is not my aim to undo the power imbalance between a website's authorised users and other people on the internet. Indeed such an objective would be bizarre for a module whose function is to enforce access control. I do want to try to make it possible for authorised users of a website, who don't like the decisions made by its operator, to set up an instance of their own, with modifications to their own taste. I'm therefore providing what I'm calling the "CAF Login Exception, v1" as an Additional Permission (as contemplated by AGPLv3 s7). I have also discussed this with my management at Citrix (since Citrix is also a copyrightholder). Permission was granted orally by my line manager in an in-person coversation on Tuesday the 27th of October. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk> Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
srcdump: git: Do not include ~ files in .git Eg, COMMIT_EDITMSG~. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
_check_divert_core: Update cookie lifetime when request is OK The timeout should be from last load, not from login. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Introduce STALE divert kind This is discussed in the algorithm comment in _check_divert_core, but was not implemented. Sadly this means we were missing a divert kind - however, apps which don't handle it should die if they don't understand the divert kind, which is what we did ourselves previously. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
check_nonpage: Handle ParmT ne 'y' correctly If check_nonpage needs to check authenticity of the submission, only a valid hidden form parameter ought to be permitted. This seems to have simply a logic error where (in 2cc2bcd0 "javascript hijacking fix") I thought ParmT was a perl booleanish; but, of course, it isn't. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
_check_divert_core: Minor comment reformatting Remove a couple of `/' which are not needed for clarity. We are going to add more cases to some of the other entries which will involve removing their `/' too. No change even to the meaning of the comment. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
_check_divert_core: Change handling of $parmt=='t' This can mean that the form parameter refers to a cookie now deleted from the db: ie one relating to a previous user session. This is not a bug or (necessariloy) an attack; it might simply mean that the submission comes from a page generated in a previous login session. So handle this case the same way as $parmt=='n' (ie, expired hidden parameter value). (Double-checked by searching the function beyond that point for references to parmt.) Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
blinding: Fix (again) move of Params setting into check_divert Do not inadvertently autoviviy $divert as an arrayref. If we do then the web app (or check_ok) sees it as trueish and will try diverting with an empty divert spec, rather than seeing it as falseish and correctly proceeding to do the real work. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
API: Expose $authreq->chain_params() Contrary to what I said in a97dc2ce, it seems that this function is indeed useful. test/cgi wants it! Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
blinding: Use . as separator rather than / (which ends up as %2e) Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
blinding: Fix move of Params setting into check_divert We were setting various things in $r rather than $r->{Divert}. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
srcdump: Report tar output to stderr, not stdout Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
blinding: Properly lift _blind and _unblind for "" and undef Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
blinding: Blind cookies and hidden form param Each time we generate a cookie or a hidden form parameter, generate some random hex digits and xor them with the hex digits in the cookie or parameter value. Our cookies contain decimal digits, and punctuation, too. The decimal digits are simply blinded the same way (which is fine) and the punctuation is left alone. It's the actual values we care about. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
blinding: Remove handling of REDIRECT-LOGOUT Nothing sets $kind to REDIRECT-LOGOUT. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
blinding: Move another setting of Params into check_divert Previously, divert_ok had the knowledge of the need to set the first of loggedout_param_names. Put this into check_divert. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
blinding: Move setting of Params into check_divert Previously, divert_ok had the knowledge of the need to set assoc_param_name in some cases. Put this into check_divert. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>