Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 329
    • Issues 329
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 12
    • Merge requests 12
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #2434

Closed
Open
Created Jan 07, 2021 by Daniel Berteaud@dani1

[security:medium] Headers are not deleted for unprotected or skip locations with nginx handler

Concerned version

Version: 2.0.9 Platform: CentOS 7 (or 8), nginx 1.19.3 (openresty build, to have lua support)

Summary

When defining a location with a unprotect rule, I expect that :

  • For authenticated users, exported headers are added to the request
  • For unauthenticated user, exported headers are cleared before passing the request to the backend, to prevent unauthenticated to send arbitrary headers and fake authenticated one

This used to work as expected, when I was using apache handler (in the 1.2 era). I've just tested it again, but now I'm running the handler with nginx. Headers are not removed for unauthenticated users requests. So, for example, if the backend app recognizes users by the mean of the Auth-User header, an unauthenticated user can just send this header with any valid user name, and the app will recognize it.

(Restricting access to this bug as it's a potential serious security issue)

Edited Jan 17, 2021 by Clément OUDOT
Assignee
Assign to
Time tracking