Working on logout and XSS (#595)
This commit is contained in:
parent
76fd9a5545
commit
47de9275fa
|
@ -15,6 +15,7 @@ has HTTP_ACCEPT_ENCODING => ( is => 'ro', reader => 'encodings' );
|
||||||
has HTTP_ACCEPT_LANGUAGE => ( is => 'ro', reader => 'languages' );
|
has HTTP_ACCEPT_LANGUAGE => ( is => 'ro', reader => 'languages' );
|
||||||
has HTTP_COOKIE => ( is => 'ro', reader => 'cookies' );
|
has HTTP_COOKIE => ( is => 'ro', reader => 'cookies' );
|
||||||
has HTTP_HOST => ( is => 'ro', reader => 'hostname' );
|
has HTTP_HOST => ( is => 'ro', reader => 'hostname' );
|
||||||
|
has REFERER => ( is => 'ro', reader => 'referer' );
|
||||||
has REMOTE_ADDR => ( is => 'ro', isa => 'Str', reader => 'remote_ip' );
|
has REMOTE_ADDR => ( is => 'ro', isa => 'Str', reader => 'remote_ip' );
|
||||||
has REMOTE_PORT => ( is => 'ro', isa => 'Int', reader => 'port' );
|
has REMOTE_PORT => ( is => 'ro', isa => 'Int', reader => 'port' );
|
||||||
has REQUEST_METHOD => ( is => 'ro', isa => 'Str', reader => 'method' );
|
has REQUEST_METHOD => ( is => 'ro', isa => 'Str', reader => 'method' );
|
||||||
|
|
|
@ -75,7 +75,7 @@ sub controlUrl {
|
||||||
# For logout request, test if Referer comes from an authorizated site
|
# For logout request, test if Referer comes from an authorizated site
|
||||||
my $tmp = (
|
my $tmp = (
|
||||||
$req->param('logout')
|
$req->param('logout')
|
||||||
? $ENV{HTTP_REFERER}
|
? $req->referer
|
||||||
: $req->{urldc}
|
: $req->{urldc}
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -112,7 +112,8 @@ sub controlUrl {
|
||||||
sub checkLogout {
|
sub checkLogout {
|
||||||
my ( $self, $req ) = @_;
|
my ( $self, $req ) = @_;
|
||||||
if ( $req->param('logout') ) {
|
if ( $req->param('logout') ) {
|
||||||
$req->steps( [ @{ $self->beforeLogout }, 'deleteSession' ] );
|
$req->steps(
|
||||||
|
[ @{ $self->beforeLogout }, 'authLogout', 'deleteSession' ] );
|
||||||
}
|
}
|
||||||
PE_OK;
|
PE_OK;
|
||||||
}
|
}
|
||||||
|
|
|
@ -47,6 +47,9 @@ has template => ( is => 'rw' );
|
||||||
# Boolean to indicate that response must be a redirection
|
# Boolean to indicate that response must be a redirection
|
||||||
has mustRedirect => ( is => 'rw' );
|
has mustRedirect => ( is => 'rw' );
|
||||||
|
|
||||||
|
# Store URL for redirections
|
||||||
|
has urldc => ( is => 'rw' );
|
||||||
|
|
||||||
# Boolean to indicate that url isn't Base64 encoded
|
# Boolean to indicate that url isn't Base64 encoded
|
||||||
has urlNotBase64 => ( is => 'rw' );
|
has urlNotBase64 => ( is => 'rw' );
|
||||||
|
|
||||||
|
|
|
@ -86,8 +86,8 @@ sub authenticatedRequest {
|
||||||
return $self->do(
|
return $self->do(
|
||||||
$req,
|
$req,
|
||||||
[
|
[
|
||||||
'importHandlerDatas', 'checkLogout',
|
'importHandlerDatas', 'controlUrl',
|
||||||
'controlUrl', @{ $self->forAuthUser }
|
'checkLogout', @{ $self->forAuthUser }
|
||||||
]
|
]
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
@ -97,8 +97,8 @@ sub postAuthenticatedRequest {
|
||||||
return $self->do(
|
return $self->do(
|
||||||
$req,
|
$req,
|
||||||
[
|
[
|
||||||
'importHandlerDatas', 'checkLogout',
|
'importHandlerDatas', 'restoreArgs',
|
||||||
'restoreArgs', 'controlUrl',
|
'controlUrl', 'checkLogout',
|
||||||
@{ $self->forAuthUser }
|
@{ $self->forAuthUser }
|
||||||
]
|
]
|
||||||
);
|
);
|
||||||
|
@ -106,8 +106,13 @@ sub postAuthenticatedRequest {
|
||||||
|
|
||||||
sub logout {
|
sub logout {
|
||||||
my ( $self, $req ) = @_;
|
my ( $self, $req ) = @_;
|
||||||
return $self->do( $req,
|
return $self->do(
|
||||||
[ @{ $self->beforeLogout }, 'authLogout', 'deleteSession' ] );
|
$req,
|
||||||
|
[
|
||||||
|
'controlUrl', @{ $self->beforeLogout },
|
||||||
|
'authLogout', 'deleteSession'
|
||||||
|
]
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
# RUNNING METHODS
|
# RUNNING METHODS
|
||||||
|
@ -182,10 +187,8 @@ sub autoRedirect {
|
||||||
|
|
||||||
# Redirection should be made if urldc defined
|
# Redirection should be made if urldc defined
|
||||||
if ( $req->{urldc} ) {
|
if ( $req->{urldc} ) {
|
||||||
return [
|
return [ 302, [ Location => $req->{urldc}, @{ $req->respHeaders } ],
|
||||||
302, [ Location => $req->{urldc}, @{ $req->respHeaders } ],
|
[] ];
|
||||||
[]
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
my ( $tpl, $prms ) = $self->display($req);
|
my ( $tpl, $prms ) = $self->display($req);
|
||||||
|
|
|
@ -8,7 +8,13 @@ BEGIN {
|
||||||
|
|
||||||
require 't/test-lib.pm';
|
require 't/test-lib.pm';
|
||||||
|
|
||||||
init( { useSafeJail => 1, trustedDomains => 'example3.com *.example2.com' } );
|
init(
|
||||||
|
{
|
||||||
|
logLevel => 'error',
|
||||||
|
useSafeJail => 1,
|
||||||
|
trustedDomains => 'example3.com *.example2.com'
|
||||||
|
}
|
||||||
|
);
|
||||||
|
|
||||||
my @tests = (
|
my @tests = (
|
||||||
|
|
||||||
|
@ -87,12 +93,12 @@ my @tests = (
|
||||||
|
|
||||||
# 19 url=http://www.toto.com/, good referer
|
# 19 url=http://www.toto.com/, good referer
|
||||||
'aHR0cDovL3d3dy50b3RvLmNvbS8=',
|
'aHR0cDovL3d3dy50b3RvLmNvbS8=',
|
||||||
'http://test.example.com/' => 1,
|
'http://test1.example.com/' => 1,
|
||||||
'Logout required by good site',
|
'Logout required by good site',
|
||||||
|
|
||||||
# 20 url=http://www?<script>, good referer
|
# 20 url=http://www?<script>, good referer
|
||||||
'aHR0cDovL3d3dz88c2NyaXB0Pg==',
|
'aHR0cDovL3d3dz88c2NyaXB0Pg==',
|
||||||
'http://test.example.com/' => 0,
|
'http://test1.example.com/' => 0,
|
||||||
'script with logout',
|
'script with logout',
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -132,17 +138,42 @@ while ( defined( my $url = shift(@tests) ) ) {
|
||||||
count(2);
|
count(2);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
while ( defined( my $url = shift(@tests) ) ) {
|
||||||
|
my $referer = shift @tests;
|
||||||
|
my $redir = shift @tests;
|
||||||
|
my $detail = shift @tests;
|
||||||
|
ok(
|
||||||
|
$res = &client->_get(
|
||||||
|
'/',
|
||||||
|
query => "url=$url&logout=1",
|
||||||
|
cookie => "lemonldap=$id",
|
||||||
|
|
||||||
|
accept => 'text/html',
|
||||||
|
referer => $referer,
|
||||||
|
),
|
||||||
|
$detail
|
||||||
|
);
|
||||||
|
ok( ( $res->[0] == ( $redir ? 302 : 200 ) ),
|
||||||
|
( $redir ? 'Get redirection' : 'Redirection dropped' ) )
|
||||||
|
or explain( $res->[0], ( $redir ? 302 : 200 ) );
|
||||||
|
ok(
|
||||||
|
$res = &client->_post(
|
||||||
|
'/', '',
|
||||||
|
IO::String->new('user=dwho&password=dwho'),
|
||||||
|
'application/x-www-form-urlencoded', 23
|
||||||
|
),
|
||||||
|
'Auth query'
|
||||||
|
);
|
||||||
|
ok( $res->[0] == 200, 'Response is 200' ) or explain( $res->[0], 200 );
|
||||||
|
ok( $id = getCookies($res)->{lemonldap}, 'Get LLNG cookie' )
|
||||||
|
or explain( $res, 'Set-Cookie: something' );
|
||||||
|
count(5);
|
||||||
|
}
|
||||||
|
|
||||||
clean_sessions();
|
clean_sessions();
|
||||||
|
|
||||||
done_testing( count() );
|
done_testing( count() );
|
||||||
__END__
|
__END__
|
||||||
while ( defined( $url = shift(@h) ) ) {
|
|
||||||
last if ( $url eq 'LOGOUT' );
|
|
||||||
$result = shift @h;
|
|
||||||
my $text = shift @h;
|
|
||||||
|
|
||||||
ok( $p->controlUrlOrigin() == $result, $text );
|
|
||||||
}
|
|
||||||
|
|
||||||
# LOGOUT CASES
|
# LOGOUT CASES
|
||||||
$logout = 1;
|
$logout = 1;
|
||||||
|
|
|
@ -113,11 +113,12 @@ sub _get {
|
||||||
|| 'application/json, text/plain, */*',
|
|| 'application/json, text/plain, */*',
|
||||||
'HTTP_ACCEPT_LANGUAGE' => 'fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3',
|
'HTTP_ACCEPT_LANGUAGE' => 'fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3',
|
||||||
'HTTP_CACHE_CONTROL' => 'max-age=0',
|
'HTTP_CACHE_CONTROL' => 'max-age=0',
|
||||||
( $args{cookie} ? ( 'HTTP_COOKIE' => $args{cookie} ) : () ),
|
( $args{cookie} ? ( HTTP_COOKIE => $args{cookie} ) : () ),
|
||||||
'HTTP_HOST' => 'auth.example.com',
|
'HTTP_HOST' => 'auth.example.com',
|
||||||
'HTTP_USER_AGENT' =>
|
'HTTP_USER_AGENT' =>
|
||||||
'Mozilla/5.0 (VAX-4000; rv:36.0) Gecko/20350101 Firefox',
|
'Mozilla/5.0 (VAX-4000; rv:36.0) Gecko/20350101 Firefox',
|
||||||
'PATH_INFO' => $path,
|
'PATH_INFO' => $path,
|
||||||
|
( $args{referer} ? ( REFERER => $args{referer} ) : () ),
|
||||||
'REMOTE_ADDR' => '127.0.0.1',
|
'REMOTE_ADDR' => '127.0.0.1',
|
||||||
(
|
(
|
||||||
$args{remote_user}
|
$args{remote_user}
|
||||||
|
@ -126,7 +127,7 @@ sub _get {
|
||||||
),
|
),
|
||||||
'REQUEST_METHOD' => 'GET',
|
'REQUEST_METHOD' => 'GET',
|
||||||
'REQUEST_URI' => $path . ( $args{query} ? "?$args{query}" : '' ),
|
'REQUEST_URI' => $path . ( $args{query} ? "?$args{query}" : '' ),
|
||||||
( $args{query} ? ( 'QUERY_STRING' => $args{query} ) : () ),
|
( $args{query} ? ( QUERY_STRING => $args{query} ) : () ),
|
||||||
'SCRIPT_NAME' => '',
|
'SCRIPT_NAME' => '',
|
||||||
'SERVER_NAME' => 'auth.example.com',
|
'SERVER_NAME' => 'auth.example.com',
|
||||||
'SERVER_PORT' => '8002',
|
'SERVER_PORT' => '8002',
|
||||||
|
|
Loading…
Reference in New Issue
Block a user