CHANGES

2.0.5 - 2017-05-26 mgk25

  . delete obsolete Apache 1.3 code and macros (GitHub #18)

2.0.4 - 2017-05-24 mgk25

 . Fix handling of directive "ErrorDocument 401 ..." on Apache 2.4.13 or later

2.0.3 - 2017-05-27 mcv21

 . Updated Ubuntu packaging

2.0.2 - 2015-03-11 mcv21

 . Restrict kid to be 1-8 digits, not beginning with a 0.

   gr348 reported a directory-traversal vulnerability in
   mod_ucam_webauth, since thile the code removes '/' from the 'kid'
   field, it does not remove any other path-separator characters
   (e.g. '\' on Windows). In the light of this, the specification of
   the 'kid' field in the ucamwebauth protocol has been tightened up,
   and mod_ucam_webauth now enforces this new, stricter definition.

2.0.1.1 - 2014-11-11 mcv21

 . Set AAPRINCIPAL as well as AAPrincipal (to match documentation)

 . Correct documentation to note that Raven sets "current" not "Current"

 . Ubuntu and Debian packaging for Apache 2.4 support

2.0.1 - 2014-01-09 mcv21

 . Set HttpOnly attribute in cookies

   This tells browsers to only expose this cookie during an http(s)
   request, and not, for example, to javascript code. This helps to
   reduce the possibility of cross-site scripting attacks.

 . Add the AACookieForceSecure directive

   Mod_ucam_webauth sets the "secure" attribute in the session cookie
   when it is invoked over https. Under some specialised
   circumstances, you may wish to force it to set this attribute when
   invoked over http. This directive lets you do so.

2.0.0 - 2013-06-18 mcv21

 . Add support for Ucam WebAuth protocol version 3

   Protocol version 3 includes support for "ptags"; these are a set of
   tags that may apply to a user. The only ptag in use at the moment
   is "Current", which means that the authenticated user is a current
   student or member of staff. The default behaviour is to require
   this ptag to be set, which is the same behaviour as was seen with
   version 2 of the protocol (for which the server will only
   authenticate current staff and students). If you might want to
   allow users without the "Current" ptag, please see README.Config
   for more details.

 . Multiple C code fixes (const-correctness, error handling, etc.)

 . Debian & Ubuntu .debs available

 . Documentation fixes (typing errors, etc.)

 . Update FSF's address in licence texts.

 . Remove references to Apache 1.3. Apache 1.3 is no longer supported,
   and this version of mod_ucam_webauth will not build against it.

1.4.4 - 2013-05-25 mcv21

 . Add support for Apache2.4. This required a small change to the code
   relating to logging.

   It is expected that the next version of mod_ucam_webauth will no
   longer support Apache 1.3 (which is long obsolete), and may not
   support Apache 2.0. The Apache Software Foundation encourages users
   to upgrade to version 2.2 or 2.4. These newer versions provide a
   better API, which we will use in a future version of
   mod_apache_webauth.

1.4.3 - 2010-03-16 jw

 Enhancements

 . Add partial support for silently querying the authentication server
   in an attempt to identify the currently logged-in user.

   The Ucam WebAuth protocol makes it possible to silently query the
   authentication server to identify the currently logged-in user. If
   this information can be obtained without interacting with the user
   then their identity is returned. If not, either because they
   haven't logged in to the authentication server or because they want
   to be informed each time their identity is disclosed, then an error
   response is returned. Partial support for this feature is now
   provided by two new directives: AARefuseInteract and
   AANeedInteractMsg. More extensive support for this feature would be
   difficult to achieve without significant changes to the way the
   module operates (and perhaps not even then).

1.4.2 - 2007-05-23 jw

 . Fix a bug causing a segmentation violation if mod_ucam_webauth is
   used to protect an entire website including the root URL and the
   server receives a CONNECT request. The CONNECT method allows https:
   requests to be relayed through proxies but this bug manifests
   even if Apache's support for proxying is disabled. Viruses and
   other malware sometimes attempt to use CONNECT requests in an
   attempt to hide their network address.

1.4.1 - 2007-04-13 jw

 Enhancements

 . The module now sets Apache's internal auth_type value to
   'Ucam-WebAuth' if it has performed authentication (c.f. mod_auth
   setting this to 'Basic'). This in turn causes the CGI environment
   variable AUTH_TYPE to be set. Further, a new directive
   AAForceAuthType allows configuration of the auth_type value
   returned. Something like 'AAForceAuthType Basic' could allow
   authentication systems intended for use with HTTP Basic Auth to
   work under Ucam-WebAuth.

 . Assorted updates to documentation, mainly to correctly address
   Apache 1.3 vs. 2.0 vs. 2.2 issues.

 . Extend RPM '.spec' files to additionally support OpenSuSE 10.2, and
   to require apache2-prefork when building under SuSE since this
   seems to be needed by apxs when building MPM-independent modules.

1.4.0 - 2007-01-30 jw

 Enhancements

 . New directive, AAIgnoreResponseLife. If an authentication response
   message contains a 'life' parameter then agents such as
   mod_ucam_webauth are expected to use it to set an upper limit to
   the lifetime of any session that they establish. The idea being
   that sessions on individual web servers will then not last longer
   than an SSO session established on the authentication server. For
   the rare occasions when it is not appropriate, setting
   'AAIgnoreResponseLife on' overrides this behaviour in which case
   session timeouts will be set by AAMaxSessionLife only. [Thanks to
   Jon Peatfield from DAMTP who provided this functionality]

 . Add note to README.Config warning about the possibility of
   authentication response message replay via log files or network
   snooping.

 . Extend RPM '.spec' files to additionally support SLES (SUSE Linux
   Enterprise Server)

 Bugs fixed

 . Caused file-based custom error messages, such as those established
   with AACancelMsg, to display correctly even if subject to
   AAAlwaysDecode. Previously the presence of AAAlwaysDecode caused
   access to the custom message to be rejected because of the
   'Cancelled' status, resulting in a messy error display to the
   user. AAAlwaysDecode now ignores cookies with an error indicator.

 . Corrected format specifiers in some debug log messages to support
   use on 64-bit systems.

 . Suppressed warning message about 'response' being used without
   initialisation in webauth_authn

1.3.0 - 2005-11-28 jw

 Change to distributions

 . Binary RPMs are no longer being distributed, at least from the
   'official' distribution site, though Source RPMs will continue to
   be provided. To partly compensate for this, the .spec files in the
   source RPMs are now more general and at least stand a chance of
   working unaltered on most distributions. The installation
   documentation now includes instructions for building and installing
   starting with source RPMs.

 . The names given to binary RPMs generated by the provided .spec
   files no-longer include a component identifying the distribution
   for which they are intended.

 Enhancements

 . Major shake-up of the documentation. README is now just a stub
   listing the other files; build and installation instructions now in
   INSTALL, with platform-dependent notes in INSTALL.Platforms;
   configuration reference now in README.Config. Documentation
   extended and (hopefully) improved. INSTALL now includes
   instructions for building and installing RPMs.

 . Update Apache 2 code to use new APR_-prefixed macros rather than
   the deprecated Apache 1.3 set. Apache 1.3 builds still see the old
   names.

 . Extend the default 'no cookie' error page to mention that trying to
   bookmark a login page can provoke 'no cookie' errors.

1.2.2 - 2005-06-09 jw

 Bugs fixed

 . Corrected spelling error ('principle' should be 'principal') in the
   parsing of the AAHeaders directive (and in a corresponding debug
   message).

1.2.1 - 2005-06-02 jw

 Enhancements

 . Added README.Platforms containing platform-specific notes

 . Enhanced the included '.spec' files, and hence the RPMs containing
   the module, to create a directory in the right place to contain the
   public keys needed by the module. For SuSE Linux, this directory is
   created as /etc/httpd/webauth_keys/ and a symlink pointing to it
   created in the true 'default' location of
   /srv/www/conf/webauth_keys/

1.2.0 - 2005-05-31 jw

 Enhancements

 . Made it possible to include authentication information as HTTP
   headers in the request being processed. While of limited use on a
   single server (identical information is available in environment
   variables) this functionality can be useful where authentication is
   performed on one machine and the request subsequently proxyed to
   another. This represents one way in which the authentication
   provided by mod_ucam_webauth can be exploited on a web server other
   than Apache. See the documentation for AAHeaders and AAHeaderKey
   for details.

 . Updated documentation

 Bugs fixed

 . Removed duplicated 'site' from default timeout message

 . Under some circumstances when servers were running on default ports
   a zero was incorrectly added to the end of the cookie name.

 . Cosmetic fix to the debug message dumping AACookieKey

 . Restored debug dumping of configuration data when processing
   authentication.

1.1.0 - 2005-03-22 jw

No code changes - assorted comment and text alterations to make it clear
that the module is distributed under the GNU LGPL.

1.0.7 - 2004-12-07 jw

 Enhancements

 . On the internal default 401 error page, don't display the value of
   ServerAdmin if this is the unhelpful Apache default of "[no address
   given]". General re-wording of this page in an attempt to make its
   meaning easier to understand.

 . For servers running on non-default ports, the port number is added
   to the name of the cookie. While this doesn't provide any
   additional security between multiple port-based servers, it does
   reduce the likelihood of cookies from separate configurations
   interfering with each other.

 . The implementation of AAAlwaysDecode was unnecessarily
   complicated, and could still lead to problems (with Apache
   sub-requests in particular). A simpler implementation (decoding the
   cookie in the Apache 'fixup' handler when necessary) has been
   implemented.

 Bugs fixed

 . Under some circumstances, the presence of this module would cause
   mod_perl's test suite to fail. This seems to be because the test
   suite enumerates the Apache notes table and mod_perl aborts if it
   finds a null pointer in the table. Such a null pointer used to
   appear if the current request isn't have a query string.

1.0.6 - 2004-10-18 jw

 Bugs fixed

 . The Host: header fix in 1.0.5 itself caused problems if a request
   didn't actually include a Host: header.

1.0.5 - 2004-10-12 jw

 Bugs fixed

 . A bug in fix for Host: and host name not matching in 1.0.4 caused a
   redirect loop when used by servers that were not running on the
   default port (80 for http, 443 for https). Now fixed.

1.0.4 - 2004-10-11 jw

 Bugs fixed

 . The code used to read RSA public keys now uses fopen/fclose under
   both Apache 1 and Apache 2 - previously ap_pfopen/ap_pfclose were
   used under Apache 1 but this causes problems when the module is
   compiled for Win32

 . 'strings.h' now not included under WIN32, where it doesn't exist
   and the Apache libraries provide the necessary definitions
   (todo#41)

 . Added README.WIN32

 . Added a redirect if the host name the user specified (as indicated
   by the 'Host' header) doesn't match the server's configured
   name. Without this there is all sorts of scope for confusion with
   cookies being set under one domain and then tested for in another
   (e.g user requests http://www/, by the time he's been bounced via
   the WLS he'll be accessing http://www.example.com/. While these
   URLs may be identical as far as the user's browser is concerned,
   the test cookie will have been set with domain www and therefore
   won't be found) (todo#29)

1.0.3 - 2004-09-13 jw

 Bugs fixed

 . Moved 'system' #include's (string.h, strings.h, time.h) above the
   Apache ones in mod_ucam_webauth.c since the original order causes
   problems under some (Sun's) compilers

1.0.2 - 2004-09-10 jw

[Added missing reference to 'problematic programming constructs' below
- no actual code changes]

1.0.1 - 2004-09-10 jw

 Enhancements

  . AACancelMsg and friends now accept 'none' (case insensitive) as a
    request to revert to their default, built-in messages.

  . The built-in descriptions of the values expected by the various
    configuration directives, as used in some error messages, have
    been improved.

  . Some problematic programming constructs have been replaced with
    more portable ones. The code should now compile on most ANSI C89
    compilers.

 Bugs fixed

  . Fixed an error that caused the module to emit bogus warning
    messages of the form "Failed to validate WLS response ID
    1234567890-12345-1: 200:" (where "200" represents "no error"!).

1.0.0 - 2004-08-24 jw

 What the heck, lets call this 1.0.0!

 Enhancements:

 . Huge reworking of the documentation.

 . The module now responds to 'AuthType Ucam-WebAuth', in addition to
   'WebAuth'. The new name is the recommended and documented form, to
   avoid confusion with other 'Webauth' systems. Support for the old
   name will be removed sometime in the future.

 Bugs fixed

 . From a Raven server login prompt, a sequence such as 'Cancel' ->
   Back -> 'Cancel' could result in a bogus 'No cookie' message
   because, when reporting the first cancel 'error', the module
   deleted the cookie. Now it resets it to the test value to avoid
   this problem. The logout page now also resets the cookie to the
   test value, rather than deleting it, for the same reason. [todo#34]

 . In obscure circumstances (mod_rewrite with a proxy target that
   includes a query string being one example) r->args can be set to a
   new value by the time webauth_authn gets to run so it never sees a
   WLS response. Worked around this with a post_read_request handler
   that stores a private copy of the original args and then modifying
   get_cgi_param to use this rather than r->args. [todo#35]

 . Removed the gcc-only '-Wall' argument from the Makefile. 'make
   OPT=-Wc,Wall' will reproduce the original effect

 . In obscure circumstances (initial login in two browser windows at
   once being the easiest to demonstrate) it's possible for a URL
   containing a WLS Reply to be presented at the same time as a valid
   cookie. If this happens the browser is not redirected to the URL
   from the response because the module trusts the cookie and doesn't
   see the response. This is now handled by always trying to extract
   the URL from any response and redirecting to it if one is
   found. [todo#31]

 . Adjusted the log level of various messages AGAIN; some verbose
   debug messages are now only generated if Apache's LogLevel is such
   that they will actually be logged. Re-worded some messages. Dropped
   'double logging' of errors accessing public key files.

 . 'Built-in' error messages now use Apache's standard signature routine
   and so should honour the setting of ServerSignature. Added DOCTYPE
   declarations to built-in error pages and adjusted them to use the
   corresponding HTML dialect.

 . Problems accessing Raven public keys are now reported via a
   redirect to the original URL (like most other errors involving
   responses) rather than by just aborting. This has the advantage
   that the browser isn't left with a URL containing the WLS-Response
   in its Location bar. Additional information (including any OpenSSL
   error messages) is now be logged following problems validating the
   RSA signature on WLS responses.

 . If the user had selected 'Don't Login' on the Raven server, the
   module incorrectly reported 'Requested session life < 1
   second'. Now fixed.

 . The warning about not supporting POST requests now only happens if
   a POST request is actually redirected.

0.99-1.0.0rc7 - 2004-08-11 jw

 Bugs fixed

 . A failure to set a default value for AALogLevel meant that no
   logging was ever produced unless AALogLevel was explicitly
   set. Since it turns out to be hard to get this right and that
   experience has shown that AALogLevel is of limited use the
   directive is now ignored. For the time being, use of the directive
   produces a warning message - in due course the directive will be
   removed completely and use of it will be an error. Logging is now
   controlled entirely by the main Apache LogLevel directive.

 . Altered some log messages from level 'notice' to level 'info'. It
   seems that Apache always logs 'notice' level messages to the error
   log irrespective of the LogLevel setting (Ugh?)  With LogLevel set
   to 'notice' or higher, only messages about unexpected events will
   now be logged.

0.99-1.0.0rc6 - 2004-07-12 jw

 Enhancements:

  . New config directive AAAlwaysDecode. If in force for a particular
    URL then the module will always attempt to decode the session
    cookie and store the results in the environment even if
    authentication isn't actively required. This could be
    useful for a site that wanted to make information publicly
    available but to customise the information if the user had
    authenticated, or for a site that wanted to mediate all accesses
    through a single point (such as page.php) but wanted to impose its
    own authorisation decisions on who sees what. For example

      AACookieKey <whatever>
      AAAlwaysDecode On
      <Location /login/>
        AuthType WebAuth
        Require valid-user
      </Location>

    would allow everyone to see anything outside /login/. Visiting
    /login/login.html would trigger authentication. Content elsewhere
    in the site (foo.cgi, foo.php, etc) can check if the current user
    is logged-in, and if so who they are, by inspecting the
    REMOTE_USER environment variable.

 Bugs fixed:

  . Fixed a problem that was causing signatures on cookies containing
    space not to verify properly

  . Added +/- 1 sec in addition to clock_skew when validating
    response issue to allow for sub-second clock differences that
    might still take us over a second boundary (suggested by Ben Harris)

  . Fixed compilation problem under Solaris (reported by John Line)

  . Added some cosmetic spaces to Set-Cookie headers

  . Moved most code from main authentication routine into separate
    routines

0.99-1.0.0rc5 - 2004-07-09 jw

 Bugs fixed:

  . Second and subsequent CGI arguments in the original URL end up
    being interpreted as extra (bogus) request parameters by the WLS
    and get removed from the URL itself. Caused by a lack of URL
    escaping within the module. This, and other missing escaping and
    unescaping, has been resolved (todo#24)

  . If a request that doesn't trigger authentication results in
    sub-requests that does (such as when Apache goes looking for
    index.html in response to a request for '..../foo/' where

      <Directory ...foo>
        AuthType webauth
        ...

    is in effect) we may end up with the browser actually requesting
    the target of the sub-request which is quite likely to fail. This
    problem should now be resolved, though it's possible that the
    resolution will have introduced different problems in other
    configurations.

0.99-1.0.0rc4 - 2004-07-05 jw

 Bugs fixed:

  . AAKeyDir could become corrupt on second and subsequent calls to
    the module - reorganised the way default configuration directives
    are managed to avoid this (todo#23).

0.99-1.0.0rc3 - 2004-06-23 jw

 Bugs fixed:

  . Resolved two missing casts in wls_decode

0.99-1.0.0rc2 - 2004-06-23 jw

 Enhancements:

  . Changed default value of AAClockSkew to 0. This parameter will now
    need to be explicitly set on web servers that are not NTP
    synchronised.

  . Added new config directive AALogLevel to set the minimum logging
    level for this module. Revised logging levels so that, at the
    default AALogLevel setting (warn), the module is normally
    silent. Revised many log messages (todo15,18)

  . Added new config directive AAForceInteract. If set to 'On', all
    requests to the authentication server (for initial or repeat
    authentication) will require the user to enter their
    password. This overrides the authentication server's 'single
    sign-on' capability, and may provide increased security at the
    cost of decreased convenience. (todo#7, suggested by Paul Warner)

  . Added new confg directive AAInactivityTimeout. When not 0 (the
    default) this implements an addition authentication timeout based
    on user inactivity, in addition to the 'hard' timeout controlled by
    AAMaxSessionTimeout (todo#6, suggested by Paul Warner)

  . Added new confg directive AACacheControl, possible values 'Off',
    'On', 'Paranoid'. When 'On' (the default) the module adds minimal
    cache control response headers to discourage caching of content in
    shared proxy caches. 'Paranoid' causes additional headers to be
    sent, 'Off' suppresses this behaviour (todo#14)

  . Added a special content handler that can be used via 'SetHandler
    AALogout' to automatically create a 'logout URL'. Added new
    directives AALogoutMsg so the content of the default page can be
    overridden, and AALogoutService to set the location of the
    authentication service logout page that is linked to from the
    default logout page (todo#13)

  . AAFail directive now takes the standard values 'On' or 'Off'

  . Overhauled the directive merging process. The values of all
    directives used this module are now inherited from outer blocks.

  . Added module version stamp to Apache startup banner, and to
    'Server:' HTTP response header (subject to the setting of the
    ServerTokens directive)

  . Session cookie now contains issue data and lifetime, rather than
    issue date and expiry date

  . Assorted code changes to better support building Apache 1.3 and
    Apache 2 modules from the same source

  . Assorted changes to better support Apache 2

  . Updated documentation

 Bugs fixed:

  . Fixed a bug that could cause a successfully initial
    authentication to be immediately followed by a re-authentication
    request claiming 'You login to the site has expired' (todo#9
    reported by Martin Lucas-Smith)

  . Re-worked how we determine our own URL - it should now never use
    information provided in the request (such as the 'Host:' header)
    and therefore be safe even if 'UseCannonicalName' is off (todo#4)

  . Changed most error returns to be '400 - Bad Request', '500 -
    Server Error' now used only for server configuration errors
    (todo#12, suggested by Ben Harris)

  . Corrected a bug which caused only the first 4 characters of
    AACookieKey to be used (toto#17)

  . Corrected potential bug in encoding/decoding base64 data
    containing NULL

  . Stopped sending 'skew' parameter in requests, since it's about to
    become deprecated in the protocol, and improved log messages that
    may result from out-of-sync clocks (todo#11)

  . Fix a bug that would have prevented successfully authentication of
    requests containing CGI parameters

  . Added check for a '401 - Access Denied' ErrorDocument before
    inserting the module's default page (the latter needed because the
    Apache default is confusing in a mod_ucam_webauth context).

0.45 - 2004-06-11 jw

  . RPM spec files added to the distribution

  . Fixed memory overflow triggered by re-authenticating to a URL
    containing CGI parameters. Thank to Tom deMulder for assistance in
    tracking this down (toto#5)

  . Source code reformat for readability

0.44 - 2004-05-04 jw

  . Fixed to build for gcc 2.?? (as found on RH7.2 etc) - source
    accidentally depended on the C99 feature of being able to declare
    variables anywhere within a block

  . Added MANIFEST, NOTICE, Makefile to build distribution, copyright
    statement in the source

0.43 - 2004-04-20 jw

  . Corrected a problem with Apache 1.3 where the port number
    did not appear in the URL sent to the WLS

  . Fixed bogus reference to PerlSetVar in the docs

0.42 - 2004-??-??

  . Unknown change

0.41 - 2004-03-04

  . Makes Apache 1.3/2 build decision based on APACHE_RELEASE

  . Revised error and state logging

  Fixed:

  . Merging of server and per-directory configuration directives

  . Assignment type mismatch

0.4 - 2004-03-11

  Fixed:

  . Configuration directives can now be specified anywhere

  . Proper reporting and response to file access errors

  . Builds quietly

  . Type mismatches corrected

0.31 - 2004-03-09

  Fixed:

  . Correct Apache 2 NOMATCH constant for apr_fnmatch function

0.3 - 2--4-03-08

  . Versions for Apache 1.3 and 2 can now be built from a single source file

0.2 - 2004-03-03

  Fixed:

  . Timeout message handling

  . Proper deletion of cookies via setting expiry in past

  . Secure cookie handling

  . Rename module to mod_ucam_webauth

0.1 - 2004-02-25

  . First working version