Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 356
    • Issues 356
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 17
    • Merge requests 17
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NGLemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #2434

[security:medium] Headers are not deleted for unprotected or skip locations with nginx handler

Concerned version

Version: 2.0.9 Platform: CentOS 7 (or 8), nginx 1.19.3 (openresty build, to have lua support)

Summary

When defining a location with a unprotect rule, I expect that :

  • For authenticated users, exported headers are added to the request
  • For unauthenticated user, exported headers are cleared before passing the request to the backend, to prevent unauthenticated to send arbitrary headers and fake authenticated one

This used to work as expected, when I was using apache handler (in the 1.2 era). I've just tested it again, but now I'm running the handler with nginx. Headers are not removed for unauthenticated users requests. So, for example, if the backend app recognizes users by the mean of the Auth-User header, an unauthenticated user can just send this header with any valid user name, and the app will recognize it.

(Restricting access to this bug as it's a potential serious security issue)

Edited Jan 17, 2021 by Clément OUDOT
Assignee
Assign to
Time tracking