Skip to content
Commit 66946e8f authored by Maxime Besson's avatar Maxime Besson
Browse files

Fix auth process in password-testing plugins (#2611)

parent 83e95cd0
Loading
Loading
Loading
Pipeline #15774 passed with stage
in 21 minutes and 30 seconds
Loading
  • Maxime Besson 🔧 @maxbes

    mentioned in issue #2612 (closed)

    ·

    mentioned in issue #2612 (closed)

    Toggle commit list
  • Yadd @guimard ·
    Owner

    When trying to apply this patch to 2.0.11, I got this:

    [error] Bad Autologin rule "$env->{REMOTE_ADDR =~ /^127/: syntax error at (eval 118) line 1, near "/^127/)"
    Missing right curly or square bracket at (eval 118) line 1, at end of line
    
    [Fri Jan 14 16:59:40 2022] [LLNG:2473727] [error] Bad Autologin rule "$env->{REMOTE_ADDR} =~ /^127: Search pattern not terminated at (eval 122) line 1, <FILE> line 1.
    
    Use of uninitialized value in hash element at /<<PKGBUILDDIR>>/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/UserDB/Demo.pm line 69, <FILE> line 1.
    Use of uninitialized value in hash element at /<<PKGBUILDDIR>>/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/UserDB/Demo.pm line 69, <FILE> line 1.
    
    #   Failed test ' HTTP code is 200'
    #   at t/test-lib.pm line 359.
    #          got: '500'
    #     expected: '200'
    # Expect 200, get $VAR1 = [
    #           500,
    #           [
    #             'Content-Type',
    #             'application/json; charset=utf-8',
    #             'Cache-Control',
    #             'no-cache, no-store, must-revalidate',
    #             'Pragma',
    #             'no-cache',
    #             'Expires',
    #             0,
    #             'Access-Control-Allow-Origin',
    #             '*',
    #             'Access-Control-Allow-Credentials',
    #             'true',
    #             'Access-Control-Allow-Headers',
    #             '*',
    #             'Access-Control-Allow-Methods',
    #             'POST,GET',
    #             'Access-Control-Expose-Headers',
    #             '*',
    #             'Access-Control-Max-Age',
    #             86400
    #           ],
    #           [
    #             '{"error":"Bad result during auth: 5"}'
    #           ]
    #         ];
    # 
    
    #   Failed test 'response has a result key with value 1'
    #   at t/65-CheckState.t line 84.
    #          got: undef
    #     expected: '1'
    # Looks like you failed 2 tests of 35.
    t/65-CheckState.t ................................................. 
    Dubious, test returned 2 (wstat 512, 0x200)
    Failed 2/35 subtests
  • Maintainer

    Applying 83e95cd0 and 66946e8f on top of 2.0.11 works fine for me after merging. Could you create a branch with your patch so I can test?

    Edited by Maxime Besson
  • Yadd @guimard ·
    Owner

    Not for me. Git repo is here: Debian lemonldap-ng repo, branch bullseye

    Use dh_quilt_patch to apply patches. New patch is stored in debian/patches/CVE-2021-40874.patch

  • Maintainer

    In your patch, the following chunk from CheckState.pm is incorrect:

                     'getUser',                         'authenticate',
    -                @{ $self->p->betweenAuthAndData }, $self->p->sessionData,
    -                @{ $self->p->afterData },          'storeHistory',
    +                @{ $self->p->beforeAuth },
    +                $self->p->authProcess,
    +                @{ $self->p->betweenAuthAndData },
    +                $self->p->sessionData,
    +                @{ $self->p->afterData },
    +                'storeHistory',

    The correct patch (see above) is supposed to remove the first line (getUser + authenticate), which are called as part of authProcess.

0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment