Commit e0204c6a authored by Christophe Maudoux's avatar Christophe Maudoux

Test submitted user param (#1667)

parent cbf84c7e
......@@ -8,14 +8,15 @@ package Lemonldap::NG::Portal::Auth::_WebForm;
use strict;
use Mouse;
use Lemonldap::NG::Portal::Main::Constants qw(
PE_CAPTCHAEMPTY
PE_CAPTCHAERROR
PE_FIRSTACCESS
PE_FORMEMPTY
PE_NOTOKEN
PE_OK
PE_PASSWORDFORMEMPTY
PE_TOKENEXPIRED
PE_CAPTCHAEMPTY
PE_CAPTCHAERROR
PE_FIRSTACCESS
PE_FORMEMPTY
PE_NOTOKEN
PE_OK
PE_PASSWORDFORMEMPTY
PE_TOKENEXPIRED
PE_MALFORMEDUSER
);
our $VERSION = '2.0.0';
......@@ -52,6 +53,13 @@ sub init {
# Read username and password from POST data
sub extractFormInfo {
my ( $self, $req ) = @_;
if ( $req->param('user') ) {
unless ( $req->param('user') =~ /$self->{conf}->{userControl}/o ) {
$self->setSecurity($req);
return PE_MALFORMEDUSER;
}
}
# Detect first access and empty forms
my $defUser = defined $req->param('user');
......@@ -67,18 +75,20 @@ sub extractFormInfo {
# 2. If user and password defined -> login form
elsif ( $defUser and $defPassword ) {
$res = PE_FORMEMPTY
unless ( ( $req->{user} = $req->param('user') )
unless ( ( $req->{user} = $req->param('user') )
&& ( $req->data->{password} = $req->param('password') ) );
}
# 3. If user and oldpassword defined -> password form
elsif ( $defUser and $defOldPassword ) {
$res = PE_PASSWORDFORMEMPTY
unless ( ( $req->{user} = $req->param('user') )
unless (
( $req->{user} = $req->param('user') )
&& ( $req->data->{oldpassword} = $req->param('oldpassword') )
&& ( $req->data->{newpassword} = $req->param('newpassword') )
&& ( $req->data->{confirmpassword} =
$req->param('confirmpassword') ) );
&& ( $req->data->{confirmpassword}
= $req->param('confirmpassword') )
);
}
# If form seems empty
......@@ -138,7 +148,7 @@ sub setAuthSessionInfo {
# WARNING: it can be a security hole
if ( $self->conf->{storePassword} ) {
$req->{sessionInfo}->{'_password'} = $req->data->{'newpassword'}
|| $req->data->{'password'};
|| $req->data->{'password'};
}
# Store user timezone
......
......@@ -6,6 +6,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
PE_BADCREDENTIALS
PE_TOKENEXPIRED
PE_NOTOKEN
PE_MALFORMEDUSER
);
our $VERSION = '2.0.3';
......@@ -75,6 +76,10 @@ sub check {
# Use submitted attribute if exists
my $url = $req->param('url') || '';
unless ( $req->param('user') =~ /$self->{conf}->{userControl}/o ) {
return PE_MALFORMEDUSER;
}
if ( $req->param('user') eq $req->{user} or !$req->param('user') ) {
$self->userLogger->notice("Retrieve session from Sessions database");
$self->userLogger->warn("Using spoofed SSO groups if exist!!!")
......
......@@ -3,7 +3,7 @@ package Lemonldap::NG::Portal::Plugins::Impersonation;
use strict;
use Mouse;
use Lemonldap::NG::Portal::Main::Constants
qw( PE_OK PE_BADCREDENTIALS PE_IMPERSONATION_SERVICE_NOT_ALLOWED );
qw( PE_OK PE_BADCREDENTIALS PE_IMPERSONATION_SERVICE_NOT_ALLOWED PE_MALFORMEDUSER );
our $VERSION = '2.0.3';
......@@ -43,6 +43,11 @@ sub init {
sub run {
my ( $self, $req ) = @_;
unless ( $req->param('spoofId') =~ /$self->{conf}->{userControl}/o ) {
return PE_MALFORMEDUSER;
}
my $spoofId = $req->param('spoofId') || '';
# Skip if no submitted SpoofId
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment