Commit dc8ac803 authored by Yadd's avatar Yadd
Browse files

autoRedirect works (#595)

but macros() doesn't
parent a7f67068
......@@ -93,15 +93,20 @@ sub status {
# Launch $self->api::run() and then handler() if
# response is 200.
sub _authAndTrace {
my ( $self, $req ) = @_;
my ( $self, $req, $noCall ) = @_;
my $res = $self->api->run( $req, $self->{rule} );
$self->portal( $self->api->tsv->{portal}->() );
$req->userData( $self->api->datas ) if ( $self->api->datas );
if ( $res < 300 ) {
$self->lmLog( 'User authenticated, calling handler()', 'debug' );
$res = $self->handler($req);
push @{ $res->[1] }, @{ $req->{respHeaders} };
if ($noCall) {
return [ $res, $req->{respHeaders}, [] ];
}
else {
$self->lmLog( 'User authenticated, calling handler()', 'debug' );
$res = $self->handler($req);
push @{ $res->[1] }, @{ $req->{respHeaders} };
}
return $res;
}
else {
......
......@@ -51,8 +51,8 @@ sub _run {
return sub {
my $req = Lemonldap::NG::Common::PSGI::Request->new( $_[0] );
my $res = $self->_authAndTrace($req);
if ( $res->[0] == 200 ) {
my $res = $self->_authAndTrace( $req, 1 );
if ( $res->[0] < 300 ) {
$self->routes( $self->authRoutes );
$req->userData( $self->api->datas );
}
......
......@@ -99,6 +99,26 @@ sub controlUrl {
PE_OK;
}
# Check value to detect XSS attack
# @param name Parameter name
# @param value Parameter value
# @return 1 if attack detected, 0 else
sub checkXSSAttack {
my ( $self, $name, $value ) = @_;
# Empty values are not bad
return 0 unless $value;
# Test value
if ( $value =~ m/(?:\0|<|'|"|`|\%(?:00|25|3C|22|27|2C))/ ) {
$self->lmLog( "XSS attack detected (param: $name | value: $value)",
"warn" );
return $self->conf->{checkXSS};
}
return 0;
}
# Second block: auth process (call auth or userDB object)
# -------------------------------------------------------
......@@ -261,7 +281,7 @@ sub store {
}
$self->lmLog( "Store $displayValue in session key $k", 'debug' );
$self->_dump($displayValue) if ref($displayValue);
$infos->{$k} = $self->{sessionInfo}->{$k};
$infos->{$k} = $req->{sessionInfo}->{$k};
}
$session->update($infos);
......
......@@ -173,7 +173,7 @@ sub autoRedirect {
];
}
else {
return $self->sendHtml( $req->template || 'menu' );
return $self->sendHtml( $req, $req->template || 'menu' );
}
}
......
......@@ -12,6 +12,11 @@ ok( $res = &client->_get('/'), 'Unauth JSON request' );
ok( $res->[0] == 401, 'Response is 401' ) or explain( $res, 401 );
count(2);
ok( $res = &client->_get('/?url=aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tLw=='),
'Unauth ajax request with good url' );
ok( $res->[0] == 401, 'Response is 401' ) or explain( $res, 401 );
count(2);
ok(
$res = &client->_post(
'/', '',
......@@ -24,9 +29,20 @@ ok(
my $cookies = getCookies($res);
my $id;
ok( $id = $cookies->{lemonldap}, 'Get cookie' );
print STDERR Dumper($res);
count(2);
clean_sessions();
ok(
$res = &client->_get(
'/',
query => 'url=aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tLw==',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'Auth ajax request with good url'
);
count(1);
print STDERR Dumper($res);
#clean_sessions();
done_testing( count() );
......@@ -80,6 +80,7 @@ has app => (
sub _get {
my ( $self, $path, %args ) = @_;
print STDERR Data::Dumper::Dumper( \%args );
return $self->app->(
{
'HTTP_ACCEPT' => $args{accept}
......@@ -89,7 +90,7 @@ sub _get {
'HTTP_CACHE_CONTROL' => 'max-age=0',
'HTTP_ACCEPT_LANGUAGE' => 'fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3',
'PATH_INFO' => $path,
( $args{cookie} ? ( 'COOKIE' => $args{cookie} ) : () ),
( $args{cookie} ? ( 'HTTP_COOKIE' => $args{cookie} ) : () ),
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => $path
. ( $args{query} ? "?$args{query}" : '' ),
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment