dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'v2.0'

This commit is contained in:
Yadd 2021-08-09 21:28:02 +02:00
parent ac1cfd6398 f290e98584
commit 781c9b0a8b
15 changed files with 79 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
doc/sources/admin/documentation.rst
View File

@ -31,7 +31,7 @@ Installation and configuration
- `Version 2.0 </documentation/2.0/>`__ (stable)
- `Version 1.9 </documentation/1.9/>`__ (oldstable)
- Archived versions (unmaintained by `LLNG Team </team>`__ )
- Archived versions (unmaintained by LLNG Team )
- `Version 1.4 </documentation/1.4/>`__
- `Version 1.3 </documentation/1.3/>`__
@ -53,20 +53,22 @@ Debian
Following Debian Policy, LLNG packages are never upgraded in published distributions. However, security patches are backported by maintenance teams *(except some inor ones)*.
See `Security tracker <https://security-tracker.debian.org/tracker/source-package/lemonldap-ng>`__
=========== ======================== ======================================== ===================================================== ============================================================ =============================== =============================================================
Debian dist LLNG version Secured Maintenance LTS Limit `Extended LTS <https://wiki.debian.org/LTS/Extended>`__ Limit
=========== ======================== ======================================== ===================================================== ============================================================ =============================== =============================================================
*6* *Squeeze* *0.9.4.1* |maybe| No known vulnerability *None* *February 2016* *April 2019*
**7** Wheezy `1.1.2 </documentation/1.1/>`__ |maybe| No known vulnerability **None** [1]_ May 2018 Probably 2021
**8** Jessie `1.3.3 </documentation/1.3/>`__ |clean| CVE-2019-19791 tagged as minor **None** [1]_ June 2020 Probably 2023
**9** Stretch `1.9.7 </documentation/1.9/>`__ |clean| CVE-2019-19791 tagged as minor `Debian LTS Team <https://www.debian.org/lts/>`__ June 2022
\ *Stretch-backports* `2.0.2 </documentation/2.0/>`__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2019-15941 *None* *June 2019*
\ Stretch-backports-sloppy `2.0.11 </documentation/2.0/>`__ |maybe| *Maybe none*, "best effort" [3]_ Until Debian 11 release [4]_
**10** Buster `2.0.2 </documentation/2.0/>`__ |clean| CVE-2019-19791 tagged as minor `Debian Security Team <https://security-team.debian.org/>`__ Probably July 2024
\ Buster-backports `2.0.11 </documentation/2.0/>`__ |clean| `LLNG Team </team>`, "best effort" [3]_ Until Debian 11 release [4]_
\ Bullseye `2.0.11 </documentation/2.0/>`__ |clean| `Debian Security Team <https://security-team.debian.org/>`__ Probably July 2026
**Next** Testing Latest [5]_ |clean| `LLNG Team </team>`__
=========== ======================== ======================================== ===================================================== ============================================================ =============================== =============================================================
=========== ========================== ======================================== ===================================================== ============================================================ =============================== =============================================================
Debian dist LLNG version Secured Maintenance LTS Limit `Extended LTS <https://wiki.debian.org/LTS/Extended>`__ Limit
=========== ========================== ======================================== ===================================================== ============================================================ =============================== =============================================================
*6* *Squeeze* *0.9.4.1* |maybe| No known vulnerability *None* *February 2016* *April 2019*
*7* *Wheezy* `1.1.2 </documentation/1.1/>`__ |maybe| No known vulnerability *None* *May 2018* *June 2020*
**8** Jessie `1.3.3 </documentation/1.3/>`__ |clean| CVE-2019-19791 tagged as minor **None** [1]_ June 2020 June 2022
**9** Stretch `1.9.7 </documentation/1.9/>`__ |clean| CVE-2019-19791 tagged as minor `Debian LTS Team <https://www.debian.org/lts/>`__ June 2022 Probably 2024
\ *Stretch-backports* `2.0.2 </documentation/2.0/>`__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2019-15941 *None* *June 2019*
\ *Stretch-backports-sloppy* `2.0.11 </documentation/2.0/>`__ |maybe| *None* *August 2021*
**10** Buster `2.0.2 </documentation/2.0/>`__ |clean| CVE-2019-19791 tagged as minor `Debian Security Team <https://security-team.debian.org/>`__ June 2024 Probably 2026
\ *Buster-backports* `2.0.11 </documentation/2.0/>`__ |clean| *None* *August 2021*
\ Buster-backports-sloppy `2.0.11 </documentation/2.0/>`__ |clean| LLNG Team, "best effort" [3]_ Until Debian 12 release [4]_
**11** Bullseye `2.0.11 </documentation/2.0/>`__ |clean| `Debian Security Team <https://security-team.debian.org/>`__ July 2026 Probably 2028
\ Bullseye-backports `2.0.11 </documentation/2.0/>`__ |clean| LLNG Team, "best effort" [3]_ Until Debian 12 release [4]_
**Next** Testing/Unstable Latest [5]_ |clean| LLNG Team
=========== ========================== ======================================== ===================================================== ============================================================ =============================== =============================================================
See `Debian Security
Tracker <https://security-tracker.debian.org/tracker/source-package/lemonldap-ng>`__
@ -142,7 +144,7 @@ Other
backports are not covered by Debian Security Policy
.. [4]
around September 2021
around July 2023
.. [5]
few days after release

41
doc/sources/admin/upgrade_2_0_x.rst
View File

@ -43,19 +43,52 @@ Security
Portal templates changes
~~~~~~~~~~~~~~~~~~~~~~~~
If you customized the HTML mail content, you must update them to use HTML::Template variables (this was changed to fix XSS injections).
Email templates
^^^^^^^^^^^^^^^
For session variables, replace for example ``$cn`` by ``<TMPL_VAR NAME="session_cn" ESCAPE=HTML>``, and for other variables, replace for example ``$url`` by ``<TMPL_VAR NAME="url" ESCAPE=HTML>``.
If you customized the HTML email templates, you must update them to use HTML::Template variables (this was changed to fix XSS injections).
Some changes have been made to include new plugins (FindUser and CheckDevOps), you need to report them only if you have a custom theme and you want to use these plugins
In the following files: ``mail_2fcode.tpl`` ``mail_certificateReset.tpl`` ``mail_footer.tpl`` ``mail_password.tpl`` ``mail_register_done.tpl`` ``mail_certificateConfirm.tpl`` ``mail_confirm.tpl`` ``mail_header.tpl`` ``mail_register_confirm.tpl``
Replace the following variables:
.. list-table::
:header-rows: 1
* - Old syntax
- New syntax
* - ``$code``
- ``<TMPL_VAR NAME="code" ESCAPE=HTML>``
* - ``$url``
- ``<TMPL_VAR NAME="url" ESCAPE=HTML>``
* - ``$login``
- ``<TMPL_VAR NAME="login" ESCAPE=HTML>``
* - ``$password``
- ``<TMPL_VAR NAME="password" ESCAPE=HTML>``
* - ``$firstname``
- ``<TMPL_VAR NAME="firstname" ESCAPE=HTML>``
* - ``$lastname``
- ``<TMPL_VAR NAME="lastname" ESCAPE=HTML>``
Replace all other variables such as ``$cn`` by ``<TMPL_VAR NAME="session_cn" ESCAPE=HTML>``.
Login form
^^^^^^^^^^
To benefit from the new feature allowing to show password on login form, adapt ``standardform.tpl`` (see `changes <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/bdeb1e70d98ddc89316b0912d9d5ee6d11d0bee5#fbbcec1fdc36cc042eeaa83274a32ef2231fe977_23_23>`__)
To disable password store in browser when changing password (this was already possible for login form), adapt ``password.tpl`` (see `changes <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/466b6a3241fff5013d27b3dd22982e5e26ed7dfb#0ae060b3d1e289f08f510c268ed72de5dcafe425_36_35>`__)
To fix placeholder display in password field when password store is disabled in browser, adapt ``password.tpl`` (see `changes <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/547d80985290495d33ed72a388e9ddf482980354#fbbcec1fdc36cc042eeaa83274a32ef2231fe977_21_20>`__)
See also "Simplification of TOTP options" below.
TOTP
^^^^
See also `Simplification of TOTP options`_ below.
FindUser, CheckDevOps templates
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Some changes have been made to include new plugins (FindUser and CheckDevOps), you need to report them only if you have a custom theme and you want to use these plugins
Client Credential sessions missing expiration time
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

12
lemonldap-ng-portal/site/cron/purgeCentralCache
View File

@ -144,8 +144,7 @@ for my $options (@backends) {
next if ( $options->{backend} eq "Apache::Session::Memcached" );
my @t;
if ( $options->{backend}->can('deleteIfLowerThan') ) {
next
if $options->{backend}->deleteIfLowerThan(
my ( $success, $rows ) = $options->{backend}->deleteIfLowerThan(
$options,
{
not => { '_session_kind' => 'Persistent' },
@ -158,7 +157,14 @@ for my $options (@backends) {
)
}
}
);
);
if ($success) {
if ($rows) {
$nb_purged += $rows;
}
next;
}
}
# Get all expired sessions

2
lemonldap-ng-portal/site/templates/bootstrap/captcha.tpl
View File

@ -5,7 +5,7 @@
<!-- //endif -->
<div class="form-group">
<img class="renewcaptchaclick" src="<TMPL_VAR NAME="STATIC_PREFIX">common/icons/arrow_refresh.png" alt="Renew Captcha" title="Renew Captcha" class="img-thumbnail mb-3" />
<img class="renewcaptchaclick" src="<TMPL_VAR NAME="STATIC_PREFIX">common/icons/arrow_refresh.png" alt="Renew Captcha" title="Renew Captcha" class="img-thumbnail mb-3" autocomplete="one-time-code" />
<img id="captcha" src="<TMPL_VAR NAME=CAPTCHA_SRC>" class="img-thumbnail" />
</div>
<div class="input-group mb-3">

2
lemonldap-ng-portal/site/templates/bootstrap/certificateReset.tpl
View File

@ -25,7 +25,7 @@
<div class="input-group-prepend">
<span class="input-group-text"><label for="mailfield" class="mb-0"><i class="fa fa-envelope"></i></label></span>
</div>
<input id="mailfield" name="mail" type="text" value="<TMPL_VAR NAME="MAIL">" class="form-control" trplaceholder="mail" required />
<input id="mailfield" name="mail" type="text" value="<TMPL_VAR NAME="MAIL">" class="form-control" trplaceholder="mail" required />
</div>
<TMPL_IF NAME=CAPTCHA_SRC>

2
lemonldap-ng-portal/site/templates/bootstrap/checkdevops.tpl
View File

@ -33,7 +33,7 @@
<input type="hidden" name="token" value="<TMPL_VAR NAME="TOKEN">" />
</TMPL_IF>
<TMPL_IF NAME="DOWNLOAD">
<input id="urlfield" name="url" type="text" class="form-control" value="<TMPL_VAR NAME="URL">" trplaceholder="URL / DNS" aria-required="true"/>
<input id="urlfield" name="url" type="text" class="form-control" value="<TMPL_VAR NAME="URL">" trplaceholder="URL / DNS" aria-required="true" autocomplete="url" />
<pre><textarea id="checkDevOpsFile" name="checkDevOpsFile" class="form-control rounded-1" rows="6" trplaceholder="pasteHere"><TMPL_VAR NAME="FILE"></textarea></pre>
<TMPL_ELSE>
<pre><textarea id="checkDevOpsFile" name="checkDevOpsFile" class="form-control rounded-1" rows="6" trplaceholder="pasteHere" required><TMPL_VAR NAME="FILE"></textarea></pre>

2
lemonldap-ng-portal/site/templates/bootstrap/checkuser.tpl
View File

@ -17,7 +17,7 @@
<div class="input-group-prepend">
<span class="input-group-text"><label for="urlfield" class="mb-0"><i class="fa fa-link"></i></label></span>
</div>
<input id="urlfield" name="url" type="text" class="form-control" value="<TMPL_VAR NAME="URL">" trplaceholder="URL / DNS" aria-required="true"/>
<input id="urlfield" name="url" type="text" class="form-control" value="<TMPL_VAR NAME="URL">" trplaceholder="URL / DNS" aria-required="true" autocomplete="url" />
</div>
<button type="submit" class="btn btn-success">
<span class="fa fa-search"></span>

2
lemonldap-ng-portal/site/templates/bootstrap/gpgform.tpl
View File

@ -5,7 +5,7 @@
<div class="input-group-prepend">
<span class="input-group-text"><label for="userfield" class="mb-0"><i class="fa fa-user"></i></label></span>
</div>
<input id="userfield" name="user" type="text" class="form-control" value="<TMPL_VAR NAME="LOGIN">" trplaceholder="mail" required aria-required="true"/>
<input id="userfield" name="user" type="text" class="form-control" value="<TMPL_VAR NAME="LOGIN">" trplaceholder="mail" required aria-required="true" />
</div>
<div class="input-group mb-3">

6
lemonldap-ng-portal/site/templates/bootstrap/register.tpl
View File

@ -23,21 +23,21 @@
<div class="input-group-prepend">
<span class="input-group-text"><label for="firstnamefield" class="mb-0"><i class="fa fa-user"></i></label></span>
</div>
<input id="firstnamefield" name="firstname" type="text" value="<TMPL_VAR NAME="FIRSTNAME">" class="form-control" trplaceholder="firstName" required aria-required="true"/>
<input id="firstnamefield" name="firstname" type="text" value="<TMPL_VAR NAME="FIRSTNAME">" class="form-control" trplaceholder="firstName" required aria-required="true" autocomplete="given-name" />
</div>
<div class="input-group mb-3">
<div class="input-group-prepend">
<span class="input-group-text"><label for="lastnamefield" class="mb-0"><i class="fa fa-user"></i></label></span>
</div>
<input id="lastnamefield" name="lastname" type="text" value="<TMPL_VAR NAME="LASTNAME">" class="form-control" trplaceholder="lastName" required aria-required="true"/>
<input id="lastnamefield" name="lastname" type="text" value="<TMPL_VAR NAME="LASTNAME">" class="form-control" autocomplete="family-name" trplaceholder="lastName" required aria-required="true"/>
</div>
<div class="input-group mb-3">
<div class="input-group-prepend">
<span class="input-group-text"><label for="mailfield" class="mb-0"><i class="fa fa-envelope"></i></label></span>
</div>
<input id="mailfield" name="mail" type="text" value="<TMPL_VAR NAME="MAIL">" class="form-control" trplaceholder="mail" required aria-required="true"/>
<input id="mailfield" name="mail" type="text" value="<TMPL_VAR NAME="MAIL">" class="form-control" trplaceholder="mail" required aria-required="true" />
</div>
<TMPL_IF NAME=CAPTCHA_SRC>

2
lemonldap-ng-portal/t/28-AuthChoice-with-captcha.t
View File

@ -41,7 +41,7 @@ SKIP: {
' Captcha image inserted' );
ok(
$res->[2]->[0] =~
m#<img class="renewcaptchaclick" src="/static/common/icons/arrow_refresh.png" alt="Renew Captcha" title="Renew Captcha" class="img-thumbnail mb-3" />#,
m#<img class="renewcaptchaclick" src="/static/common/icons/arrow_refresh.png"#,
' Renew Captcha button found'
) or explain( $res->[2]->[0], 'Renew captcha button not found' );
ok( $res->[2]->[0] =~ /captcha\.(?:min\.)?js/, 'Get captcha javascript' );

2
lemonldap-ng-portal/t/41-Captcha.t
View File

@ -134,7 +134,7 @@ m%<input[^>]*name="password"%,
' New captcha image inserted' );
ok(
$res->[2]->[0] =~
m#<img class="renewcaptchaclick" src="/static/common/icons/arrow_refresh.png" alt="Renew Captcha" title="Renew Captcha" class="img-thumbnail mb-3" />#,
m#<img class="renewcaptchaclick" src="/static/common/icons/arrow_refresh.png" alt="Renew Captcha" title="Renew Captcha" class="img-thumbnail mb-3" autocomplete="one-time-code" />#,
' Renew Captcha button found'
) or explain( $res->[2]->[0], 'Renew captcha button not found' );
ok( $res->[2]->[0] =~ /captcha\.(?:min\.)?js/, 'Get captcha javascript' );

2
lemonldap-ng-portal/t/42-Register-Demo-with-captcha.t
View File

@ -62,7 +62,7 @@ s/^.*token=([^&]+).*$/token=$1&firstname=who&lastname=doctor&mail=dwho%40badwolf
) or print STDERR Dumper( $res->[2]->[0] );
ok(
$res->[2]->[0] =~
m#<img class="renewcaptchaclick" src="/static/common/icons/arrow_refresh.png" alt="Renew Captcha" title="Renew Captcha" class="img-thumbnail mb-3" />#,
m#<img class="renewcaptchaclick" src="/static/common/icons/arrow_refresh.png"#,
' Renew Captcha button found'
) or explain( $res->[2]->[0], 'Renew captcha button not found' );
ok( $res->[2]->[0] =~ /captcha\.(?:min\.)?js/, 'Get captcha javascript' );

2
lemonldap-ng-portal/t/43-MailPasswordReset-with-captcha.t
View File

@ -69,7 +69,7 @@ m%<a class="btn btn-secondary" href="http://auth.example.com/resetpwd\?skin=boot
) or print STDERR Dumper( $res->[2]->[0] );
ok(
$res->[2]->[0] =~
m#<img class="renewcaptchaclick" src="/static/common/icons/arrow_refresh.png" alt="Renew Captcha" title="Renew Captcha" class="img-thumbnail mb-3" />#,
m#<img class="renewcaptchaclick" src="/static/common/icons/arrow_refresh.png"#,
' Renew Captcha button found'
) or explain( $res->[2]->[0], 'Renew captcha button not found' );
ok( $res->[2]->[0] =~ /captcha\.(?:min\.)?js/, 'Get captcha javascript' );

4
lemonldap-ng-portal/t/67-CheckUser-with-Impersonation-and-Macros.t
View File

@ -124,7 +124,7 @@ count(1);
expectForm( $res, undef, '/checkuser', 'user', 'url' );
ok(
$res->[2]->[0] =~
m%<input id="urlfield" name="url" type="text" class="form-control" value="http://test1.example.com" trplaceholder="URL / DNS"%,
m%<input id="urlfield" name="url" type="text" class="form-control" value="http://test1.example.com" trplaceholder="URL / DNS" aria-required="true" autocomplete="url" />%,
'Found HTTP url'
) or explain( $res->[2]->[0], 'HTTP url' );
ok(
@ -224,7 +224,7 @@ ok(
expectForm( $res, undef, '/checkuser', 'user', 'url' );
ok(
$res->[2]->[0] =~
m%<input id="urlfield" name="url" type="text" class="form-control" value="https://test2.example.com" trplaceholder="URL / DNS"%,
m%<input id="urlfield" name="url" type="text" class="form-control" value="https://test2.example.com" trplaceholder="URL / DNS" aria-required="true" autocomplete="url" />%,
'Found HTTPS url'
) or explain( $res->[2]->[0], 'HTTP url' );
count(2);

2
lemonldap-ng-portal/t/68-FindUser-with-Demo-and-captcha.t
View File

@ -48,7 +48,7 @@ SKIP: {
' Captcha image inserted' );
ok(
$res->[2]->[0] =~
m#<img class="renewcaptchaclick" src="/static/common/icons/arrow_refresh.png" alt="Renew Captcha" title="Renew Captcha" class="img-thumbnail mb-3" />#,
m#<img class="renewcaptchaclick" src="/static/common/icons/arrow_refresh.png"#,
' Renew Captcha button found'
) or explain( $res->[2]->[0], 'Renew captcha button not found' );
ok( $res->[2]->[0] =~ /captcha\.(?:min\.)?js/, 'Get captcha javascript' );