Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 314
    • Issues 314
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 7
    • Merge requests 7
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NGLemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #2534
Closed
Open
Issue created Jun 03, 2021 by Maxime Besson@maxbes🔧Maintainer

CDA does not work with wildcard vhosts

Concerned version

Version: 2.0.11

Summary

Summarize the bug encountered concisely

  • Remove test1.example.com and test2.example.com from default vhosts
  • Add test%.example.com, type CDA
  • Set cookie domain to auth.example.com
  • Try to navigate to test1.example.com

=> redirection loop, CDA is not triggered

Possible fixes

Wildcards are not expanded when constructing trustedDomainsRe

Quickfix:

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm
@@ -377,9 +377,17 @@ sub reloadConf {
             $p =~ s#https?://([^/]*).*$#$1#;
             $re->add( quotemeta($p) );
         }
+
         foreach my $vhost ( keys %{ $self->conf->{locationRules} } ) {
+            my $expr = quotemeta($vhost);
+
+            # Handle wildcards
+            if ($vhost =~ /[\%\*]/) {
+                $expr =~ s/\\\*/\.*/;
+                $expr =~ s/\\\%/[\^\.]\*/;
+            }
+            $re->add( $expr );
             $self->logger->debug("Vhost $vhost added in trusted domains");
-            $re->add( quotemeta($vhost) );
             $self->conf->{vhostOptions} ||= {};
             if ( my $tmp =
                 $self->conf->{vhostOptions}->{$vhost}->{vhostAliases} 

There might be a better way to handle this. In particular, we should probably not use isTrustedUrl to trigger CDA.

Assignee
Assign to
Time tracking