Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 313
    • Issues 313
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 7
    • Merge requests 7
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NGLemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #2434
Closed
Open
Issue created Jan 07, 2021 by Daniel Berteaud@dani1

[security:medium] Headers are not deleted for unprotected or skip locations with nginx handler

Concerned version

Version: 2.0.9 Platform: CentOS 7 (or 8), nginx 1.19.3 (openresty build, to have lua support)

Summary

When defining a location with a unprotect rule, I expect that :

  • For authenticated users, exported headers are added to the request
  • For unauthenticated user, exported headers are cleared before passing the request to the backend, to prevent unauthenticated to send arbitrary headers and fake authenticated one

This used to work as expected, when I was using apache handler (in the 1.2 era). I've just tested it again, but now I'm running the handler with nginx. Headers are not removed for unauthenticated users requests. So, for example, if the backend app recognizes users by the mean of the Auth-User header, an unauthenticated user can just send this header with any valid user name, and the app will recognize it.

(Restricting access to this bug as it's a potential serious security issue)

Edited Jan 17, 2021 by Clément OUDOT
Assignee
Assign to
Time tracking