lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2023-05-12T17:56:15Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2875[Security:Low] incorrect parsing of OP-provided acr2023-05-12T17:56:15ZMaxime Besson[Security:Low] incorrect parsing of OP-provided acr### Concerned version
Version: 2.0.16
### Summary
* Configure Auth::OIDC with an OP that always returns `acr: 1` in the ID token
* Set oidcOPMetaDataOptionsAcrValues to `loa-1`
* `ACR` value `1` is accepted despite not being part of t...### Concerned version
Version: 2.0.16
### Summary
* Configure Auth::OIDC with an OP that always returns `acr: 1` in the ID token
* Set oidcOPMetaDataOptionsAcrValues to `loa-1`
* `ACR` value `1` is accepted despite not being part of the list `['loa-1']`
### Possible fixes
```
unless ( $acr_values =~ /\b$acr\b/i ) {
```
it not a good way to test because `\b` matches too many things (in the example: it matches `-`)2.16.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2874Removing oidcOPMetaDataOptionsAcrValues causes OIDC auth to fail2023-05-09T07:15:43ZMaxime BessonRemoving oidcOPMetaDataOptionsAcrValues causes OIDC auth to fail### Concerned version
Version: 2.0.16
### Summary
* Configure Auth::OIDC with a provider that doesn't support ACR values
* set oidcOPMetaDataOptionsAcrValues to something
* authentication fails :white_check_mark:
* unset oidcOPMetaDa...### Concerned version
Version: 2.0.16
### Summary
* Configure Auth::OIDC with a provider that doesn't support ACR values
* set oidcOPMetaDataOptionsAcrValues to something
* authentication fails :white_check_mark:
* unset oidcOPMetaDataOptionsAcrValues in manager
* authentication still fails :x:
### Logs
```
ACR was not returned by OP xxx
```2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2873AjaxInitScript/InitCmd not called after Choice error2023-05-05T13:18:39ZMaxime BessonAjaxInitScript/InitCmd not called after Choice error### Concerned version
Version: 2.0.16
### Summary
* Configure a Choice with Demo | SSL
* Fail Demo
* Choice is displayed again
* But SSL Initscript is not called :x:
* Try SSL => fail :x:
### Possible fixes
Choice `extractFormInfo`...### Concerned version
Version: 2.0.16
### Summary
* Configure a Choice with Demo | SSL
* Fail Demo
* Choice is displayed again
* But SSL Initscript is not called :x:
* Try SSL => fail :x:
### Possible fixes
Choice `extractFormInfo` only calls AjaxInitScript + InitCmd when no choice is already selected.
In the case described above, a choice is selected, but fails, and the Choice form is displayed again. We should call AjaxInitScript+InitCmd everytime we call `extractFormInfo` instead.
Other possibility: call these methods in `_buildAuthLoop` ?2.17.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2871Possible bug in manager related to adaptativeAuthenticationLevelRules2023-02-25T10:57:20ZDavide BozzelliPossible bug in manager related to adaptativeAuthenticationLevelRulesIn 2.0.16 when in manager try to add an adaptive auth rule by insert for example:
As key: $env->{REMOTE_ADDR} =~ /^192\.168\./
As value: +3
I receive the following error:
adaptativeAuthenticationLevelRules/$env->{REMOTE_ADDR} =~ /^...In 2.0.16 when in manager try to add an adaptive auth rule by insert for example:
As key: $env->{REMOTE_ADDR} =~ /^192\.168\./
As value: +3
I receive the following error:
adaptativeAuthenticationLevelRules/$env->{REMOTE_ADDR} =~ /^192\.168\./: Bad regular expression
As this is simply the example reported in the inline help I would imagine there is some bug in the parse of rule.
Thx2.16.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2863OIDC: `sid` in Front-Channel-Logout request is wrong2023-02-17T10:37:51ZYaddOIDC: `sid` in Front-Channel-Logout request is wrong### Concerned version
Version: %2.0.16
### Summary
In 2.0.16, front Channel Logout request send the following:
```Perl
build_urlencoded(
iss => $self->iss,
sid => $user_id,
);
```
According to OIDC specs, this is a wrong value. It...### Concerned version
Version: %2.0.16
### Summary
In 2.0.16, front Channel Logout request send the following:
```Perl
build_urlencoded(
iss => $self->iss,
sid => $user_id,
);
```
According to OIDC specs, this is a wrong value. It should contain `sid` claim sent in ID Token.
Fix depends on #2862.2.17.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2859Password policy does not work with underscore2023-01-31T18:04:37ZChristophe Maudouxchrmdx@gmail.comPassword policy does not work with underscore### Concerned version
Version: %2.0.X
Platform: (Nginx/Apache/Node.js)
### Summary
Underscore is not allowed on server side### Concerned version
Version: %2.0.X
Platform: (Nginx/Apache/Node.js)
### Summary
Underscore is not allowed on server side2.0.16Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2854Confusing error message when trying to verify webauthn credential while there...2023-01-23T14:15:31ZMaxime BessonConfusing error message when trying to verify webauthn credential while there is no available credential### Concerned version
Version: 2.0.15
### Summary
* Enable webauthn2f
* Browse to 2FA manager
* Click 'verify' button
A confusing error message is displayed
![image](/uploads/c2451e73bf10569ef8c257abb380659e/image.png)
### Logs
`...### Concerned version
Version: 2.0.15
### Summary
* Enable webauthn2f
* Browse to 2FA manager
* Click 'verify' button
A confusing error message is displayed
![image](/uploads/c2451e73bf10569ef8c257abb380659e/image.png)
### Logs
```
{"error":"webauthn2f: no registered device"}
```
### Possible fixes
Return a translatable error code instead of a message2.0.16Maxime BessonMaxime Besson2023-01-23https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2852Allow multiple SSL choices2023-05-09T07:16:50ZMaxime BessonAllow multiple SSL choices### Concerned version
Version: 2.0.15
### Summary
* Configure the Choice module for SSL (by ajax)
* Add a second SSL choice with a different UserDB
* only one of them actually works :x:
### Possible fixes
Fix the SSL JS code to onl...### Concerned version
Version: 2.0.15
### Summary
* Configure the Choice module for SSL (by ajax)
* Add a second SSL choice with a different UserDB
* only one of them actually works :x:
### Possible fixes
Fix the SSL JS code to only submit the form that was clicked instead of submitting all SSL buttons. This requires changes in JS and templates2.16.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2847Configuration corruption due to accented characters2023-08-02T12:58:53ZChristophe Maudouxchrmdx@gmail.comConfiguration corruption due to accented characters### Concerned version
Version: all
Platform: Nginx + uWSGI
### Summary
LL::NG instance has crashed (out of memory) due to accented characters and re-encoding issue that leads to a conf. corruption.
Normal conf. size near 600ko and c...### Concerned version
Version: all
Platform: Nginx + uWSGI
### Summary
LL::NG instance has crashed (out of memory) due to accented characters and re-encoding issue that leads to a conf. corruption.
Normal conf. size near 600ko and corrupted conf. size near 280Mo!
### Logs
![image](/uploads/d7ab46baa142647e315118ca4a1de162/image.png)
### Backends used
PGSQL
### Possible fixes
Append an option to remove all accented or non printable characters.
Append a warning in Manager if conf. size is out of customizable bounds2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2846Incorrect handling of custom schemes when auto-setting CSP form-action (with ...2023-01-13T11:06:16ZMaxime BessonIncorrect handling of custom schemes when auto-setting CSP form-action (with jsRedirect=1)See #2747 for the main issue
When using jsRedirect=1, LLNG can automatically generate the CSP, but this doesn't work for mobile apps because they are not detected as valid URIs by URIRESee #2747 for the main issue
When using jsRedirect=1, LLNG can automatically generate the CSP, but this doesn't work for mobile apps because they are not detected as valid URIs by URIRE2.0.16Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2845"No change detected" when removing the last exported attribute/macro/scope, etc2023-01-17T15:22:35ZMaxime Besson"No change detected" when removing the last exported attribute/macro/scope, etc### Concerned version
Version: 2.0.15
### Summary
* Configure a CAS/SAML/OIDC peer (SP or IDP)
* Add an exported attribute
* save conf
* remove the exported attribute
* save conf => "No change detected, saving aborted" :x:
### Poss...### Concerned version
Version: 2.0.15
### Summary
* Configure a CAS/SAML/OIDC peer (SP or IDP)
* Add an exported attribute
* save conf
* remove the exported attribute
* save conf => "No change detected, saving aborted" :x:
### Possible fixes
Emptying exported attributes, IDP/SP macros, etc, is not detected as a change2.0.16Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2842Cannot hook storeHistory method after 2FA failure2023-01-11T13:27:14ZMaxime BessonCannot hook storeHistory method after 2FA failure### Concerned version
Version: 2.0.15
### Summary
Currently, a plugin that triggers on storeHistory will not be called when 2FA verification fails, only when regular Auth fails.
<details><summary>Plugin example</summary>
```
package...### Concerned version
Version: 2.0.15
### Summary
Currently, a plugin that triggers on storeHistory will not be called when 2FA verification fails, only when regular Auth fails.
<details><summary>Plugin example</summary>
```
package Lemonldap::NG::Portal::Plugins::StoreHistory;
use Mouse;
use Lemonldap::NG::Portal::Main::Constants qw/PE_OK PE_ERROR PE_INFO/;
extends 'Lemonldap::NG::Portal::Main::Plugin';
# Declare when LemonLDAP::NG must call your functions
use constant afterSub => { storeHistory => 'myAfterHistory' };
sub myAfterHistory {
my ($self, $req) = @_;
use Data::Dumper;
$self->logger->debug(Dumper($req->{sessionInfo}));
return 0;
}
1;
```
</details>
Some users want to be able to run custom steps during authentication failure (mostly related to logging/accounting)2.0.16Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2841Using Auth::OpenIDConnect twice in Auth::Choice leads to route redefined warning2023-01-11T17:00:08ZMaxime BessonUsing Auth::OpenIDConnect twice in Auth::Choice leads to route redefined warning### Concerned version
Version: 2.0.15.1
### Summary
* Configure Auth::Choice
* Choice 1: OIDC
* Choice 2: OIDC
### Logs
```
[warn] Route "flogout" redefined
[warn] Route "flogout" redefined
[warn] Route "blogout" redefined
[warn] R...### Concerned version
Version: 2.0.15.1
### Summary
* Configure Auth::Choice
* Choice 1: OIDC
* Choice 2: OIDC
### Logs
```
[warn] Route "flogout" redefined
[warn] Route "flogout" redefined
[warn] Route "blogout" redefined
[warn] Route "blogout" redefined
[warn] Route "blogout" redefined
[warn] Route "blogout" redefined
[warn] Route "flogout" redefined
[warn] Route "flogout" redefined
```
### Possible fixes
* Try to detect if an instance of Auth::OpenIDConnect is already loaded and skip addRoute in that case
* Should Auth::OpenIDConnect be a singleton?2.0.16Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2840password toggle visibility on mobile does not work2023-01-24T10:28:01ZAlbert Rinceaupassword toggle visibility on mobile does not work### Concerned version
Version: %"2.0.15.1"
### Summary
Toggling password visibility on forms input fields does not work on mobile
### Possible fixes
Change "mousedown/mouseup(function(){...})" javascript function by event on("moused...### Concerned version
Version: %"2.0.15.1"
### Summary
Toggling password visibility on forms input fields does not work on mobile
### Possible fixes
Change "mousedown/mouseup(function(){...})" javascript function by event on("mousedown touchstart", function() {...}) / "mouseup touchend"2.0.16Albert RinceauAlbert Rinceauhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2839Advanced sessions functions broken with Apache::Session::Redis2023-01-25T12:24:37ZYaddAdvanced sessions functions broken with Apache::Session::Redis### Concerned version
Version: %2.0.15
Platform: any
### Summary
All search functions broken. Works fine with Apache::Session::Browseable::Redis
### Logs
```
Only Redis is supported at blib/lib/Lemonldap/NG/Common/Apache/Session.pm...### Concerned version
Version: %2.0.15
Platform: any
### Summary
All search functions broken. Works fine with Apache::Session::Browseable::Redis
### Logs
```
Only Redis is supported at blib/lib/Lemonldap/NG/Common/Apache/Session.pm
(autosplit into blib/lib/auto/Lemonldap/NG/Common/Apache/Session/
_NoSQLGKFAS.al) line 400
```
### Backends used
Apache::Session::Redis2.0.16YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2835We can't duplicate a virtual host with a wildcard2022-12-17T21:00:39ZClément OUDOTWe can't duplicate a virtual host with a wildcardWhen using Manager, duplication of a wildcarded vhost does not work.When using Manager, duplication of a wildcarded vhost does not work.2.0.16Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832[Security:medium] Redirection URL validation bypass using credentials in URL2023-09-22T14:13:30ZClément OUDOT[Security:medium] Redirection URL validation bypass using credentials in URLAn attacker can forge a redirection on a malicious site using a fake credentials in URL value.
Example:
* Portal : https://auth.openid.club
* Allowed application : https://test1.openid.club
* Malicious site : https://google.fr
* Malicio...An attacker can forge a redirection on a malicious site using a fake credentials in URL value.
Example:
* Portal : https://auth.openid.club
* Allowed application : https://test1.openid.club
* Malicious site : https://google.fr
* Malicious URL : https://test1.openid.club:test@google.fr
* Malicious URL base 64 : aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo=
* Malicious redirection trigger : https://auth.openid.club/?url=aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo=2.0.16Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2817CrowdSec plugin broken: "URL must be absolute2022-11-04T10:33:48ZYaddCrowdSec plugin broken: "URL must be absolute### Concerned version
Version: %2.0.12
### Summary
CrowdSec plugin was broken by ff36b81e
### Logs
```
Bad CrowdSec response: URL must be absolute
```
### Possible fixes
```
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugin...### Concerned version
Version: %2.0.12
### Summary
CrowdSec plugin was broken by ff36b81e
### Logs
```
Bad CrowdSec response: URL must be absolute
```
### Possible fixes
```
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CrowdSec.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CrowdSec.pm
@@ -33,7 +33,9 @@ has crowdsecUrl => ( is => 'rw' );
sub init {
my ($self) = @_;
if ( $self->conf->{crowdsecUrl} ) {
- $self->crowdsecUrl( $self->conf->{crowdsecUrl} =~ s#/+$## );
+ my $tmp = $self->conf->{crowdsecUrl};
+ $tmp =~ s#/+$##;
+ $self->crowdsecUrl($tmp);
}
else {
$self->logger->warn(
```2.0.16YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2816Redirection loop with jsRedirect2022-11-08T08:07:30ZMaxime BessonRedirection loop with jsRedirect### Concerned version
Version: 2.0.15
### Summary
* set jsRedirect = 1
* use SSL auth, by ajax, on a dedicated domain, distinct from the portal domain
* enable SAML, CAS, or OIDC
Then:
* Trigger authentication through a SAML/CAS/OID...### Concerned version
Version: 2.0.15
### Summary
* set jsRedirect = 1
* use SSL auth, by ajax, on a dedicated domain, distinct from the portal domain
* enable SAML, CAS, or OIDC
Then:
* Trigger authentication through a SAML/CAS/OIDC app
* log in using SSL by ajax (does not clean pdata->{url} because it's a different domain :warning: )
* once you are redirected to the application, go back to portal
* redirection loop! :warning:
/saml is called with pdata->url=base64(http://auth.example.com/saml)
### Possible fixes
The loop was fixed in #2061 but not if jsRedirect is enabled
WIP for #2792 fixes the issue by correctly cleaning url in pdata on login2.0.16Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2809portalSkinRules do not allow special characters in skin name2022-10-20T09:50:49ZMaxime BessonportalSkinRules do not allow special characters in skin name### Concerned version
Version: 2.0.15
Platform: (Nginx/Apache/Node.js)
### Summary
* Create a theme named `my-theme`
* Create a portalSkinRule to enable that theme
* Manager refuses to save the rule with a "Bad value" message### Concerned version
Version: 2.0.15
Platform: (Nginx/Apache/Node.js)
### Summary
* Create a theme named `my-theme`
* Create a portalSkinRule to enable that theme
* Manager refuses to save the rule with a "Bad value" message2.0.16Maxime BessonMaxime Besson