Commit 4d47d927 authored by Yadd's avatar Yadd
Browse files

* Debian upgrade for jquery management

 * SQL injection protection for DBI
 * Regexp to control user field
 * Missing parameters in _Struct.pm
 * Bad errors management in Uploader
parent 29b8c868
......@@ -75,7 +75,7 @@ install: build
find $(CURDIR)/debian/tmp -type f -regex '.*/jquery-[0-9].*\.js' -delete
find $(CURDIR)/debian/tmp -type f -name jquery.js -delete
rm -f $(CURDIR)/debian/tmp$(LMSHAREDIR)*-skins/*/jquery.js
perl -i -pe 's#(["'"'"'])\S*?jquery(-\d[\.\w\-]*?)?.js#$$1/javascript/jquery/jquery.js#' \
perl -i -pe 's#src=(["'"'"']).*?jquery(-\d[\.\w\-]*?)?.js#src=$$1/javascript/jquery/jquery.js#i' \
$(CURDIR)/debian/tmp/examples/manager/*.pl \
$(CURDIR)/debian/tmp$(LMSHAREDIR)manager-skins/default/*.tpl \
$(CURDIR)/debian/tmp$(LMSHAREDIR)portal-skins/pastel/*.tpl
......
......@@ -43,7 +43,7 @@ sub confUpload {
my $newConf = { cfgNum => $self->{cfgNum} };
# Loading returned parameters
my $res;
my $errors = {};
foreach ( @{ $result->getChildrenByTagName('element') } ) {
my ( $id, $name, $value ) = (
$_->getAttribute('id'),
......@@ -63,7 +63,7 @@ sub confUpload {
my ( $res, $m );
if ( !defined($test) ) {
$res->{errors}->{$name} =
$errors->{errors}->{$name} =
"Key $name: Lemonldap::NG::Manager error, see Apache's logs";
$self->lmLog(
"Unknown configuration key $id (name: $name, value: $value)",
......@@ -78,27 +78,27 @@ sub confUpload {
if ( $test->{keyTest} ) {
( $res, $m ) = $self->applyTest( $test->{keyTest}, $name );
unless ($res) {
$res->{errors}->{$name} = $m || $test->{keyMsgFail};
$errors->{errors}->{$name} = $m || $test->{keyMsgFail};
next;
}
}
if ( $test->{test} ) {
( $res, $m ) = $self->applyTest( $test->{test}, $value );
unless ($res) {
$res->{errors}->{$name} = $m || $test->{msgFail};
$errors->{errors}->{$name} = $m || $test->{msgFail};
next;
}
}
if ( $test->{warnKeyTest} ) {
( $res, $m ) = $self->applyTest( $test->{warnKeyTest}, $name );
unless ($res) {
$res->{warnings}->{$name} = $m || $test->{keyMsgWarn};
$errors->{warnings}->{$name} = $m || $test->{keyMsgWarn};
}
}
if ( $test->{warnTest} ) {
( $res, $m ) = $self->applyTest( $test->{warnTest}, $value );
unless ($res) {
$res->{warnings}->{$name} = $m || $test->{keyMsgWarn};
$errors->{warnings}->{$name} = $m || $test->{keyMsgWarn};
}
}
}
......@@ -124,12 +124,13 @@ sub confUpload {
}
}
#print STDERR Dumper( $newConf, $res );
$res->{result}->{cfgNum} = $self->confObj->saveConf($newConf)
unless ( $res->{errors} );
#print STDERR Dumper( $newConf, $errors );
#print STDERR Dumper($errors);
$errors->{result}->{cfgNum} = $self->confObj->saveConf($newConf)
unless ( $errors->{errors} );
my $buf = '{';
my $i = 0;
while ( my ( $type, $h ) = each %$res ) {
while ( my ( $type, $h ) = each %$errors ) {
$buf .= ',' if ($i);
$buf .= "'$type':{";
$buf .= join( ',', map { "'$_':'$h->{$_}'" } keys %$h );
......
......@@ -52,13 +52,13 @@ sub struct {
_nodes => [
qw(portal authentication userDB syslog whatToTrace singleSession singleIP singleUserByIP)
],
_help => 'authParams',
authentication => 'text:/authentication',
portal => 'text:/portal',
userDB => 'text:/userDB',
syslog => 'int:/syslog',
_help => 'authParams',
authentication => 'text:/authentication',
portal => 'text:/portal',
userDB => 'text:/userDB',
syslog => 'int:/syslog',
useXForwardedForIP => 'int:/useXForwardedForIP',
whatToTrace => 'text:/whatToTrace:whatToTrace:text',
whatToTrace => 'text:/whatToTrace:whatToTrace:text',
singleSession => 'int:/singleSession',
singleIP => 'int:/singleIP',
singleUserByIP => 'int:/singleUserByIP',
......@@ -66,7 +66,7 @@ sub struct {
cookieParams => {
_nodes =>
[qw(cookieName domain securedCookie cookieExpiration)],
_help => 'cookies',
_help => 'cookies',
cookieName => 'text:/cookieName:cookieName:text',
domain => 'text:/domain:domain:text',
securedCookie =>
......@@ -104,19 +104,19 @@ sub struct {
},
advancedParams => {
_nodes => [
qw(Soap exportedAttr storePassword trustedDomains status https protection notifications passwordManagement)
qw(Soap exportedAttr storePassword trustedDomains status https notifications passwordManagement userControl)
],
Soap => 'int:/Soap',
Soap => 'int:/Soap',
https => 'int:/https',
exportedAttr => 'text:/exportedAttr',
exportedAttr => 'text:/exportedAttr',
storePassword => 'int:/storePassword',
notifications => {
_nodes => [
qw(notification notificationStorage notificationStorageOptions)
],
_help => 'notifications',
_help => 'notifications',
notification => 'int:/notification',
notificationStorage => 'text:/notificationStorage',
notificationStorage => 'text:/notificationStorage',
notificationStorageOptions => {
_nodes => ['hash:/notificationStorageOptions'],
_js => 'hashRoot'
......@@ -135,13 +135,19 @@ sub struct {
},
trustedDomains => 'text:/trustedDomains',
status => 'int:/status',
protection => 'int:/protection',
userControl => 'text:/userControl:userControl:text',
}
},
groups =>
{ _nodes => ['hash:/groups:groups:btext'], _js => 'hashRoot', _help => 'default', },
virtualHosts =>
{ _nodes => ['nhash:/locationRules:virtualHosts:none'], _upload => ['/exportedHeaders'], _help => 'default', },
groups => {
_nodes => ['hash:/groups:groups:btext'],
_js => 'hashRoot',
_help => 'default',
},
virtualHosts => {
_nodes => ['nhash:/locationRules:virtualHosts:none'],
_upload => ['/exportedHeaders'],
_help => 'default',
},
};
}
......@@ -158,8 +164,25 @@ sub testStruct {
return ( $@ ? ( 0, $@ ) : 1 );
};
my $boolean = { test => qr/^(?:0|1)?$/, msgFail => 'Value must be 0 or 1' };
my $pcre = sub {
my $r = shift;
my $q;
eval { $q = qr/$r/ };
return ( $@ ? ( 0, $@ ) : 1 );
};
my $testNotDefined = { test => sub { 1 }, msgFail => 'Ok' };
return {
authentication => {
mailFrom => $testNotDefined,
trustedDomains => $testNotDefined,
exportedAttr => $testNotDefined,
mailSubject => $testNotDefined,
randomPasswordRegexp => $testNotDefined,
passwordDB => $testNotDefined,
mailBody => $testNotDefined,
SMTPServer => $testNotDefined,
cookieExpiration => $testNotDefined,
notificationStorage => $testNotDefined,
authentication => {
test => qr/^[a-zA-Z][\w\:]*$/,
msgFail => 'Bad module name',
},
......@@ -175,7 +198,7 @@ sub testStruct {
test => qr/^https?:\/\/\S+$/,
msgFail => 'Bad portal value',
},
cda => $boolean,
cda => $boolean,
cookieName => {
test => qr/^[a-zA-Z]\w*$/,
msgFail => 'Bad cookie name',
......@@ -224,7 +247,7 @@ sub testStruct {
test => qr/^(?:\w+=.*,\w+=.*)?$/,
msgFail => 'Bad LDAP dn',
},
managerPassword => {},
managerPassword => {},
notificationStorage => {
test => qr/^[\w:]+$/,
msgFail => 'Bad module name',
......@@ -233,7 +256,7 @@ sub testStruct {
keyTest => qr/^\w+$/,
keyMsgFail => 'Bad parameter',
},
groups => {
groups => {
keyTest => qr/^\w[\w-]*$/,
keyMsgFail => 'Bad group name',
test => $perlExpr,
......@@ -263,13 +286,8 @@ sub testStruct {
keyTest => qr/^[a-zA-Z](?:[\w\-\.]*\w)?$/,
msgFail => 'Bad virtual host name',
'*' => {
keyTest => sub {
my $r = shift;
my $q;
eval { $q = qr/$r/ };
return ( $@ ? ( 0, $@ ) : 1 );
},
test => sub {
keyTest => $pcre,
test => sub {
my $e = shift;
return 1 if ( $e eq 'accept' or $e eq 'deny' );
if ( $e =~ s/^logout(?:_(?:app|sso|app_sso))?\s*// ) {
......@@ -291,9 +309,9 @@ sub testStruct {
},
},
exportedHeaders => {
keyTest => qr/^[a-zA-Z](?:[\w\-\.]*\w)?$/,
msgFail => 'Bad virtual host name',
'*' => {
keyTest => qr/^[a-zA-Z](?:[\w\-\.]*\w)?$/,
keyMsgFail => 'Bad virtual host name',
'*' => {
keyTest => qr/^\w([\w\-]*\w)?$/,
keyMsgFail => 'Bad header name',
test => $perlExpr,
......@@ -304,10 +322,10 @@ sub testStruct {
},
},
},
syslog => $boolean,
Soap => $boolean,
syslog => $boolean,
Soap => $boolean,
storePassword => $boolean,
notification => $boolean,
notification => $boolean,
status => $boolean,
https => $boolean,
protection => {
......@@ -318,6 +336,10 @@ sub testStruct {
singleSession => $boolean,
singleIP => $boolean,
singleUserByIP => $boolean,
userControl => {
test => $pcre,
msgFail => 'Bad regular expression',
},
};
}
......@@ -325,15 +347,17 @@ sub testStruct {
#@return Hashref of default values
sub defaultConf {
return {
authentication => 'LDAP',
userDB => 'LDAP',
ldapServer => 'localhost',
globalStorage => 'Apache::Session::File',
authentication => 'LDAP',
userDB => 'LDAP',
ldapServer => 'localhost',
globalStorage => 'Apache::Session::File',
globalStorageOptions => {
'Directory' => '/var/lib/lemonldap-ng/sessions/',
'Directory' => '/var/lib/lemonldap-ng/sessions/',
'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/'
},
timeout => 7200,
timeout => 7200,
userControl => '^[\w\.\-@]+$',
notificationStorage => 'File',
};
}
......
......@@ -72,6 +72,7 @@ sub en {
sessionStorage => 'Sessions Storage',
timeout => 'Sessions timeout',
userDB => 'Users database type',
userControl => 'Username control',
virtualHosts => 'Virtual Hosts',
whatToTrace => "Attribute to use in Apache's logs",
};
......@@ -105,6 +106,7 @@ sub fr {
sessionStorage => 'Stockage des sessions',
timeout => 'Durée de vie des sessions',
userDB => "Type de base de données d'utilisateurs",
userControl => "Contrôle du nom d'utilisateur",
virtualHosts => 'Hôtes virtuels',
whatToTrace => "Donnée à inscrire dans les journaux d'Apache",
};
......
......@@ -47,7 +47,9 @@ sub authenticate {
my $loginCol = $self->{dbiAuthLoginCol};
my $passwordCol = $self->{dbiAuthPasswordCol};
my $user = $self->{user};
my $password;
my $password = $self->{password};
$user =~ s/'/''/g;
$password =~ s/'/''/g;
# Manage password hash
if ( $self->{dbiAuthPasswordHash} =~ /^(md5|sha|sha1)$/i ) {
......@@ -55,24 +57,30 @@ sub authenticate {
"Using " . uc( $self->{dbiAuthPasswordHash} ) . " to hash password",
'debug'
);
$password =
uc( $self->{dbiAuthPasswordHash} ) . "('" . $self->{password} . "')";
$password = uc( $self->{dbiAuthPasswordHash} ) . "('$password')";
}
else {
$self->lmLog( "No valid password hash, using clear text for password",
'debug' );
$password = "'" . $self->{password} . "'";
$password = "'$password'";
}
my $sth = $dbh->prepare(
my @rows = ();
eval {
my $sth = $dbh->prepare(
"SELECT $loginCol FROM $table WHERE $loginCol='$user' AND $passwordCol=$password"
);
);
$sth->execute();
$sth->execute();
my @rows = $sth->fetchrow_array();
@rows = $sth->fetchrow_array();
};
if ($@) {
$self->lmLog( "DBI error: $@", 'error' );
return PE_ERROR;
}
if ( $#rows eq 0 ) {
if ( @rows == 1 ) {
$self->lmLog( "One row returned by SQL query", 'debug' );
return PE_OK;
}
......
......@@ -78,6 +78,7 @@ use constant {
PE_BADURL => 37,
PE_NOSCHEME => 38,
PE_BADOLDPASSWORD => 39,
PE_MALFORMEDUSER => 40,
};
# EXPORTER PARAMETERS
......@@ -91,7 +92,7 @@ our @EXPORT =
PE_PP_PASSWORD_TOO_SHORT PE_PP_PASSWORD_TOO_YOUNG
PE_PP_PASSWORD_IN_HISTORY PE_PP_GRACE PE_PP_EXP_WARNING
PE_PASSWORD_MISMATCH PE_PASSWORD_OK PE_NOTIFICATION PE_BADURL
PE_NOSCHEME PE_BADOLDPASSWORD);
PE_NOSCHEME PE_BADOLDPASSWORD PE_MALFORMEDUSER);
our %EXPORT_TAGS = ( 'all' => [ @EXPORT, 'import' ], );
our @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );
......
......@@ -30,20 +30,8 @@ sub userDBInit {
# Do nothing
# @return Lemonldap::NG::Portal constant
sub getUser {
PE_OK;
}
## @apmethod int setSessionInfo()
# Get columns for each exportedVars
# @return Lemonldap::NG::Portal constant
sub setSessionInfo {
my $self = shift;
# Return if no data to collect
return PE_OK
unless ( $self->{exportedVars}
and ref( $self->{exportedVars} ) eq 'HASH' );
# Connect
my $dbh =
$self->dbh( $self->{dbiUserChain}, $self->{dbiUserUser},
......@@ -52,19 +40,40 @@ sub setSessionInfo {
my $table = $self->{dbiUserTable};
my $pivot = $self->{userPivot};
my $user = $self->{user};
$user =~ s/'/''/g;
eval {
my $sth = $dbh->prepare("SELECT * FROM $table WHERE $pivot='$user'");
$sth->execute();
unless ( $self->{entry} = $sth->fetchrow_hashref() ) {
$self->lmLog( "User $user not found", 'notice' );
return PE_BADCREDENTIALS;
}
};
if ($@) {
$self->lmLog( "DBI error: $@", 'error' );
return PE_ERROR;
}
my $sth = $dbh->prepare(
"SELECT * FROM $table WHERE $pivot='" . $self->{user} . "'" );
PE_OK;
}
$sth->execute();
## @apmethod int setSessionInfo()
# Get columns for each exportedVars
# @return Lemonldap::NG::Portal constant
sub setSessionInfo {
my $self = shift;
my $result = $sth->fetchrow_hashref();
# Return if no data to collect
return PE_OK
unless ( $self->{exportedVars}
and ref( $self->{exportedVars} ) eq 'HASH' );
foreach ( keys %{ $self->{exportedVars} } ) {
if ( exists $result->{ $self->{exportedVars}->{$_} } ) {
$self->{sessionInfo}->{$_} =
$result->{ $self->{exportedVars}->{$_} };
}
while ( my ( $var, $attr ) = each %{ $self->{exportedVars} } ) {
$self->{sessionInfo}->{$var} = $self->{entry}->{$attr}
if ( defined $self->{entry}->{$attr} );
}
PE_OK;
......
......@@ -27,15 +27,17 @@ sub extractFormInfo {
return PE_FORMEMPTY
unless (
(
( $self->{'user'} = $self->param('user') )
&& ( ( $self->{'password'} = $self->param('password') )
|| ( $self->{'newpassword'} = $self->param('newpassword') ) )
( $self->{user} = $self->param('user') )
&& ( ( $self->{password} = $self->param('password') )
|| ( $self->{newpassword} = $self->param('newpassword') ) )
)
|| ( $self->{'mail'} = $self->param('mail') )
|| ( $self->{mail} = $self->param('mail') )
);
$self->{'oldpassword'} = $self->param('oldpassword');
$self->{'confirmpassword'} = $self->param('confirmpassword');
$self->{'timezone'} = $self->param('timezone');
$self->{oldpassword} = $self->param('oldpassword');
$self->{confirmpassword} = $self->param('confirmpassword');
$self->{timezone} = $self->param('timezone');
$self->{userControl} ||= '^[\w\.\-@]+$';
return PE_MALFORMEDUSER unless ( $self->{user} =~ /$self->{userControl}/o );
PE_OK;
}
......
......@@ -127,6 +127,7 @@ sub error_fr {
'Mauvaise URL',
'Aucun schéma disponible',
'Ancien mot de passe invalide',
"Nom d'utilisateur incorrect",
];
}
......@@ -175,6 +176,7 @@ sub error_en {
'Bad URL',
'No scheme available',
'Bad old password',
'Bad username',
];
}
......@@ -224,5 +226,6 @@ sub error_ro {
'Rea URL',
'No scheme available',
'Bad old password',
'Bad username',
];
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment