REST ression server is too intolerant of clock drift (2)
Environment
LemonLDAP::NG version: %2.0.7
Operating system: Debian 10
Web server: Nginx
Summary
See #1923 (closed). Another occurrence of the same problem went unnoticed in NG/Portal/Plugins/RESTServer.pm
:
Possible fixes
This:
sub newAuthSession {
my ( $self, $req, $id ) = @_;
my $t;
unless ($t = $req->param('secret')
and $t = $self->conf->{cipher}->decrypt($t)
and $t <= time
and $t > time - 30 )
{
return $self->p->sendError( $req, 'Bad secret', 403 );
}
# ...
Should be:
sub newAuthSession {
my ( $self, $req, $id ) = @_;
my $t;
unless ($t = $req->param('secret')
and $t = $self->conf->{cipher}->decrypt($t)
and $t <= time + $self->conf->{restClockTolerance}
and $t > time - $self->conf->{restClockTolerance} )
{
return $self->p->sendError( $req, 'Bad secret', 403 );
}
# ...