Refactor $req->{cspFormAction} (#2513)
This commit is contained in:
Maxime Besson
parent
a876d978af
commit
cd97d3b922
|
|
@ -12,7 +12,7 @@ our $VERSION = '2.0.11';
|
|||
has modules => ( is => 'rw', default => sub { {} } );
|
||||
has rules => ( is => 'rw', default => sub { {} } );
|
||||
has type => ( is => 'rw' );
|
||||
has catch => ( is => 'rw', default => sub { {} } );
|
||||
has catch => ( is => 'rw', default => sub { {} } );
|
||||
has sessionKey => ( is => 'ro', default => '_choice' );
|
||||
|
||||
my $_choiceRules;
|
||||
|
|
@ -116,8 +116,10 @@ sub checkChoice {
|
|||
}
|
||||
|
||||
unless ($name) {
|
||||
|
||||
# Set by OAuth Resource Owner grant // RESTServer pwdCheck
|
||||
if ($req->data->{_pwdCheck} and $self->{conf}->{authChoiceAuthBasic}) {
|
||||
if ( $req->data->{_pwdCheck} and $self->{conf}->{authChoiceAuthBasic} )
|
||||
{
|
||||
$name = $self->{conf}->{authChoiceAuthBasic};
|
||||
}
|
||||
}
|
||||
|
|
@ -213,7 +215,7 @@ sub _buildAuthLoop {
|
|||
if ( $auth and $userDB and $passwordDB ) {
|
||||
|
||||
# Default URL
|
||||
$req->{cspFormAction} ||= '';
|
||||
$req->data->{cspFormAction} ||= {};
|
||||
if (
|
||||
defined $url
|
||||
and not $self->checkXSSAttack( 'URI',
|
||||
|
|
@ -222,11 +224,9 @@ sub _buildAuthLoop {
|
|||
q%^(https?://)?[^\s/.?#$].[^\s]+$% # URL must be well formatted
|
||||
)
|
||||
{
|
||||
#$url .= $req->env->{'REQUEST_URI'};
|
||||
|
||||
# Avoid append same URL
|
||||
$req->{cspFormAction} .= " $url"
|
||||
unless $req->{cspFormAction} =~ qr%\b$url\b%;
|
||||
my $csp_uri = $self->cspGetHost($url);
|
||||
$req->data->{cspFormAction}->{$csp_uri} = 1;
|
||||
}
|
||||
else {
|
||||
$url .= '#';
|
||||
|
|
|
|||
|
|
@ -898,10 +898,14 @@ sub sendHtml {
|
|||
$csp .= " $url";
|
||||
}
|
||||
}
|
||||
if ( defined $req->{cspFormAction} ) {
|
||||
$self->logger->debug(
|
||||
"Set CSP form-action with request URL: " . $req->{cspFormAction} );
|
||||
$csp .= " " . $req->{cspFormAction};
|
||||
if ( defined $req->data->{cspFormAction}
|
||||
and ref( $req->data->{cspFormAction} ) eq "HASH" )
|
||||
{
|
||||
my $request_csp_form_action =
|
||||
join( " ", keys %{ $req->data->{cspFormAction} } );
|
||||
$self->logger->debug( "Set CSP form-action with request URL: "
|
||||
. $request_csp_form_action );
|
||||
$csp .= " " . $request_csp_form_action;
|
||||
}
|
||||
|
||||
# Set SAML Discovery Protocol in form-action
|
||||
|
|
@ -1083,7 +1087,7 @@ sub registerLogin {
|
|||
}
|
||||
|
||||
my $history = $req->sessionInfo->{_loginHistory} ||= {};
|
||||
my $type = ( $req->authResult > 0 ? 'failed' : 'success' ) . 'Login';
|
||||
my $type = ( $req->authResult > 0 ? 'failed' : 'success' ) . 'Login';
|
||||
$history->{$type} ||= [];
|
||||
$self->logger->debug("Current login saved into $type");
|
||||
|
||||
|
|
|
|||
|
|
@ -114,9 +114,9 @@ m%<form id="lformKerberos" action="#" method="post" class="login Kerberos">%,
|
|||
' Action # found'
|
||||
) or explain( $res->[2]->[0], '<form id="lformSSL"' );
|
||||
my $header = getHeader( $res, 'Content-Security-Policy' );
|
||||
ok( $header =~ m%;form-action \* https://test.example.com;%,
|
||||
ok( $header =~ m%;form-action \* https://test.example.com;%,
|
||||
' CSP URL found' )
|
||||
or explain( $res->[1], 'form-action * https://test.example.com;' );
|
||||
or explain( $res->[1], 'form-action * https://test.example.com;' );
|
||||
ok( $res->[2]->[0] !~ /4_demo/, '4_Demo not displayed' );
|
||||
ok(
|
||||
$res->[2]->[0] =~ qr%<img src="/static/common/logos/logo_llng_old.png"%,
|
||||
|
|
|
|||
Loading…
Reference in New Issue