Improve headers deletion (#2434)

2021-01-14 13:49:08 +01:00 · 2021-01-14 13:49:08 +01:00 · 30c7c21a06
parent be7a52844b
commit 30c7c21a06
4 changed files with 28 additions and 3 deletions
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Server/Main.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Server/Main.pm
@ -27,17 +27,21 @@ sub set_header_in {

 sub unset_header_in {
    my ( $class, $req, @headers ) = @_;
-    my $i = 1;
+    $req->data->{deleteIndex} //= 1;
+    my $i = $req->data->{deleteIndex};
    foreach my $header(@headers) {
        $class->logger->debug("Delete header $header");
        $req->{respHeaders} = [ grep { $_ ne $header and $_ ne cgiName($header) }
              @{ $req->{respHeaders} } ];
        delete $req->{env}->{ cgiName($header) };
        push @{ $req->{respHeaders} }, "Deleteheader$i", $header;
+        $i++;
+        push @{ $req->{respHeaders} }, "Deleteheader$i", cgiName($header);
        $header =~ s/-/_/g;
        delete $req->{env}->{$header};
        $i++;
    }
+    $req->data->{deleteIndex} = $i;
 }

 # Inheritence is broken in this case with Debian >= jessie
--- a/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t
+++ b/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t
@ -225,7 +225,7 @@ count(2);

 # Forged headers
 ok( $res = $client->_get( '/skipif/zz', undef, 'test1.example.com', undef, HTTP_AUTH_USER => 'rtyler' ),
-    'Test skip() rule 2' );
+    'Test skip() with forged header' );
 ok( $res->[0] == 200, ' Code is 200' ) or explain( $res, 200 );
 count(2);

--- a/lemonldap-ng-handler/t/62-Lemonldap-NG-Handler-Nginx.t
+++ b/lemonldap-ng-handler/t/62-Lemonldap-NG-Handler-Nginx.t
@ -191,6 +191,28 @@ ok(
  );
 count(3);

+# Clean headers
+ok(
+    $res = $client->_get(
+        '/skipif/zz', undef, 'test1.example.com', undef,
+        HTTP_AUTH_USER => 'rtyler'
+    ),
+    'Test skip() with forged header'
+);
+ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 );
+count(2);
+%h = @{ $res->[1] };
+my %delete;
+foreach ( keys %h ) {
+    /^Deleteheader\d$/ and $delete{ $h{$_} }++;
+}
+foreach (qw(Cookie HTTP_COOKIE Auth-User HTTP_AUTH_USER)) {
+    ok( $delete{$_}, "Delete command for $_" )
+      or explain( \%h, 'Delete* headers' );
+    ok( !$h{$_}, "$_ is deleted" ) or explain( \%h, 'Delete* headers' );
+    count(2);
+}
+
 done_testing( count() );

 clean();
--- a/lemonldap-ng-handler/t/custom.pm
+++ b/lemonldap-ng-handler/t/custom.pm
@ -5,7 +5,6 @@ sub accessToTrace {
    my $custom  = $hash->{custom};
    my $req     = $hash->{req};
    my $vhost   = $hash->{vhost};
-    my $custom  = $hash->{custom};
    my $params  = $hash->{params};
    my $session = $hash->{session};