Commit 66946e8f authored by Maxime Besson's avatar Maxime Besson
Browse files

Fix auth process in password-testing plugins (#2611)

parent 83e95cd0
Pipeline #15774 passed with stage
in 21 minutes and 30 seconds
......@@ -73,7 +73,10 @@ sub extractFormInfo {
my $res = PE_OK;
# 1. No user defined at all -> first access
unless ( $defUser and $req->method =~ /^POST$/i ) {
# _pwdCheck is a workaround to make CheckUser work while using a GET
unless ( $defUser
and ( uc( $req->method ) eq "POST" or $req->data->{_pwdCheck} ) )
{
$res = PE_FIRSTACCESS;
}
......
......@@ -41,16 +41,22 @@ sub check {
if ( my $user = $req->param('user') and my $pwd = $req->param('password') )
{
$req->user($user);
$req->data->{password} = $pwd;
$req->parameters->{user} = ($user);
$req->parameters->{password} = $pwd;
$req->data->{skipToken} = 1;
# This makes Auth::Choice use authChoiceAuthBasic if defined
$req->data->{_pwdCheck} = 1;
# Not launched methods:
# - "extractFormInfo" due to "token"
# - "buildCookie" useless here
$req->steps( [
'getUser', 'authenticate',
@{ $self->p->betweenAuthAndData }, $self->p->sessionData,
@{ $self->p->afterData }, 'storeHistory',
@{ $self->p->beforeAuth },
$self->p->authProcess,
@{ $self->p->betweenAuthAndData },
$self->p->sessionData,
@{ $self->p->afterData },
'storeHistory',
@{ $self->p->endAuth }
]
);
......
......@@ -698,12 +698,13 @@ sub pwdConfirm {
400 );
}
$req->user($user);
$req->data->{password} = $password;
$req->data->{_pwdCheck} = 1;
$req->parameters->{user} = $user;
$req->parameters->{password} = $password;
$req->data->{_pwdCheck} = 1;
$req->data->{skipToken} = 1;
if ( $self->p->_userDB ) {
$req->steps( [ 'getUser', 'authenticate' ] );
$req->steps( [ $self->p->authProcess ] );
my $result = $self->p->process($req);
if ( $result == PE_PASSWORD_OK or $result == PE_OK ) {
return $self->p->sendJSONresponse( $req,
......
  • mentioned in issue #2612 (closed)

    Toggle commit list
  • When trying to apply this patch to 2.0.11, I got this:

    [error] Bad Autologin rule "$env->{REMOTE_ADDR =~ /^127/: syntax error at (eval 118) line 1, near "/^127/)"
    Missing right curly or square bracket at (eval 118) line 1, at end of line
    
    [Fri Jan 14 16:59:40 2022] [LLNG:2473727] [error] Bad Autologin rule "$env->{REMOTE_ADDR} =~ /^127: Search pattern not terminated at (eval 122) line 1, <FILE> line 1.
    
    Use of uninitialized value in hash element at /<<PKGBUILDDIR>>/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/UserDB/Demo.pm line 69, <FILE> line 1.
    Use of uninitialized value in hash element at /<<PKGBUILDDIR>>/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/UserDB/Demo.pm line 69, <FILE> line 1.
    
    #   Failed test ' HTTP code is 200'
    #   at t/test-lib.pm line 359.
    #          got: '500'
    #     expected: '200'
    # Expect 200, get $VAR1 = [
    #           500,
    #           [
    #             'Content-Type',
    #             'application/json; charset=utf-8',
    #             'Cache-Control',
    #             'no-cache, no-store, must-revalidate',
    #             'Pragma',
    #             'no-cache',
    #             'Expires',
    #             0,
    #             'Access-Control-Allow-Origin',
    #             '*',
    #             'Access-Control-Allow-Credentials',
    #             'true',
    #             'Access-Control-Allow-Headers',
    #             '*',
    #             'Access-Control-Allow-Methods',
    #             'POST,GET',
    #             'Access-Control-Expose-Headers',
    #             '*',
    #             'Access-Control-Max-Age',
    #             86400
    #           ],
    #           [
    #             '{"error":"Bad result during auth: 5"}'
    #           ]
    #         ];
    # 
    
    #   Failed test 'response has a result key with value 1'
    #   at t/65-CheckState.t line 84.
    #          got: undef
    #     expected: '1'
    # Looks like you failed 2 tests of 35.
    t/65-CheckState.t ................................................. 
    Dubious, test returned 2 (wstat 512, 0x200)
    Failed 2/35 subtests
  • Applying 83e95cd0 and 66946e8f on top of 2.0.11 works fine for me after merging. Could you create a branch with your patch so I can test?

    Edited by Maxime Besson
  • Not for me. Git repo is here: Debian lemonldap-ng repo, branch bullseye

    Use dh_quilt_patch to apply patches. New patch is stored in debian/patches/CVE-2021-40874.patch

  • In your patch, the following chunk from CheckState.pm is incorrect:

                     'getUser',                         'authenticate',
    -                @{ $self->p->betweenAuthAndData }, $self->p->sessionData,
    -                @{ $self->p->afterData },          'storeHistory',
    +                @{ $self->p->beforeAuth },
    +                $self->p->authProcess,
    +                @{ $self->p->betweenAuthAndData },
    +                $self->p->sessionData,
    +                @{ $self->p->afterData },
    +                'storeHistory',

    The correct patch (see above) is supposed to remove the first line (getUser + authenticate), which are called as part of authProcess.

Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment