Commit 5d2b50e9 authored by Yadd's avatar Yadd
Browse files

Modif for XSS: for logout URL, we test now Referer field

parent 2523fc5c
......@@ -798,14 +798,14 @@ sub info {
sub printImage {
my ( $self, $file, $type ) = @_;
binmode STDOUT;
unless (open(IMAGE, '<', $file)) {
unless ( open( IMAGE, '<', $file ) ) {
$self->lmLog( "Could not display image '$file'", 'error' );
return;
}
print $self->header(
$type . '; charset=utf-8; content-length=' . (stat($file))[10]);
$type . '; charset=utf-8; content-length=' . ( stat($file) )[10] );
my $buffer = "";
while (read(IMAGE, $buffer, 4096)) {
while ( read( IMAGE, $buffer, 4096 ) ) {
print $buffer;
}
close(IMAGE);
......@@ -883,17 +883,22 @@ sub controlUrlOrigin {
$self->{urldc} = decode_base64($url);
$self->{urldc} =~ s/[\r\n]//sg;
# For logout request, test if Referer comes from an authorizated site
my $tmp =
( $self->param('logout') ? $ENV{HTTP_REFERER} : $self->{urldc} );
# REJECT [\0<'"`] in URL or encoded '%' and non protected hosts
if (
$self->{urldc} =~ /(?:\0|<|'|"|`|\%(?:00|25|3C|22|27|2C))/
or ( $self->{urldc} !~
m#^https?://(?:$self->{reVHosts}$self->{trustedDomains})(?::\d+)?(?:/.*)?$#o
and not $self->param('logout') )
or ( $tmp !~
/^https?:\/\/(?:$self->{reVHosts}$self->{trustedDomains})(?::\d+)?(?:\/.*)?$/o
)
)
{
$self->lmLog(
"XSS attack detected (param: urldc | value: "
. $self->{urldc} . ")",
"XSS attack detected (param: "
. ( $self->param('logout') ? 'HTTP Referer' : 'urldc' )
. " | value: $tmp)",
"warn"
);
delete $self->{urldc};
......
......@@ -7,10 +7,11 @@
package My::Portal;
use strict;
use Test::More tests => 16;
use Test::More tests => 19;
BEGIN {
use_ok( 'Lemonldap::NG::Portal::Simple', ':all' );
sub Lemonldap::NG::Portal::Simple::lmLog {}
sub Lemonldap::NG::Portal::Simple::lmLog { }
}
#use Lemonldap::NG::Portal::Simple;
......@@ -22,55 +23,78 @@ my @h = (
'' => PE_OK, 'Empty',
# http://test.example.com/
# 4 http://test.example.com/
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20v' => PE_OK, 'Protected virtual host',
# http://test.example.com
# 5 http://test.example.com
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20v' => PE_OK, 'Missing / in URL',
# http://test.example.com:8000/test
# 6 http://test.example.com:8000/test
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb206ODAwMC90ZXN0' => PE_OK, 'Non default port',
# http://test.example.com:8000
# 7 http://test.example.com:8000
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb206ODAwMA==' => PE_OK,
'Non default port with missing /',
# http://t.example2.com/test
# 8 http://t.example2.com/test
'aHR0cDovL3QuZXhhbXBsZTIuY29tL3Rlc3Q=' => PE_OK,
'Undeclared virtual host in trusted domain',
# http://t.example.com/test
# 9 http://t.example.com/test
'aHR0cDovL3QuZXhhbXBsZS5jb20vdGVzdA==' => PE_BADURL,
'Undeclared virtual host in (untrusted) protected domain',
# 10
'http://test.com/' => PE_BADURL, 'Non base64 encoded characters',
# http://test.example.com:8000V
# 11 http://test.example.com:8000V
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb206ODAwMFY=' => PE_BADURL,
'Non number in port',
# http://t.ex.com/test
# 12 http://t.ex.com/test
'aHR0cDovL3QuZXguY29tL3Rlc3Q=' => PE_BADURL,
'Undeclared virtual host in an other domain',
# http://test.example.com/%00
# 13 http://test.example.com/%00
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vJTAw' => PE_BADURL, 'Base64 encoded \0',
# http://test.example.com/test\0
# 14 http://test.example.com/test\0
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vdGVzdAA=' => PE_BADURL,
'Base64 and url encoded \0',
# 15
'XX%00' => PE_BADURL, 'Non base64 encoded \0 ',
# http://test.example.com/test?<script>alert()</script>
# 16 http://test.example.com/test?<script>alert()</script>
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vdGVzdD88c2NyaXB0PmFsZXJ0KCk8L3NjcmlwdD4='
=> PE_BADURL,
'base64 encoded HTML tags',
# LOGOUT TESTS
'LOGOUT',
# 17 url=http://www.toto.com/, bad referer
'aHR0cDovL3d3dy50b3RvLmNvbS8=',
'http://bad.com/' => PE_BADURL,
'Logout required by bad site',
# 18 url=http://www.toto.com/, good referer
'aHR0cDovL3d3dy50b3RvLmNvbS8=',
'http://test.example.com/' => PE_OK,
'Logout required by good site',
# 19 url=http://www?<script>, good referer
'aHR0cDovL3d3dz88c2NyaXB0Pg==',
'http://test.example.com/' => PE_BADURL,
'script with logout',
);
my $count = 0;
sub param {
shift;
my $p = shift;
$count++;
if ( $p and $p eq 'url' ) {
return $url;
}
......@@ -104,12 +128,20 @@ ok(
$p->{reVHosts} = '(?:test\.example\.com)';
while ( defined( $url = shift(@h) ) ) {
last if ( $url eq 'LOGOUT' );
$result = shift @h;
my $text = shift @h;
ok( $p->controlUrlOrigin() == $result, $text );
#print ($p->controlUrlOrigin() == $result ? "OK" : "NOK");
#print " $url\n";
}
# LOGOUT CASES
$logout = 1;
while ( defined( $url = shift(@h) ) ) {
my $referer = shift @h;
$result = shift @h;
my $text = shift @h;
$ENV{HTTP_REFERER} = $referer;
ok( $p->controlUrlOrigin() == $result, $text );
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment