Tidy & append release note (#2434)
This commit is contained in:
parent
25bc6c0dad
commit
e2fabf594a
|
@ -28,7 +28,6 @@
|
|||
auth_request_set $headervalue14 $upstream_http_headervalue14;
|
||||
auth_request_set $headername15 $upstream_http_headername15;
|
||||
auth_request_set $headervalue15 $upstream_http_headervalue15;
|
||||
auth_request_set $lmcookie $upstream_http_cookie;
|
||||
auth_request_set $deleteheader1 $upstream_http_deleteheader1;
|
||||
auth_request_set $deleteheader2 $upstream_http_deleteheader2;
|
||||
auth_request_set $deleteheader3 $upstream_http_deleteheader3;
|
||||
|
@ -40,6 +39,11 @@
|
|||
auth_request_set $deleteheader9 $upstream_http_deleteheader9;
|
||||
auth_request_set $deleteheader10 $upstream_http_deleteheader10;
|
||||
auth_request_set $deleteheader11 $upstream_http_deleteheader11;
|
||||
auth_request_set $deleteheader12 $upstream_http_deleteheader12;
|
||||
auth_request_set $deleteheader13 $upstream_http_deleteheader13;
|
||||
auth_request_set $deleteheader14 $upstream_http_deleteheader14;
|
||||
auth_request_set $deleteheader15 $upstream_http_deleteheader15;
|
||||
auth_request_set $lmcookie $upstream_http_cookie;
|
||||
access_by_lua '
|
||||
local i = 1
|
||||
ngx.req.set_header("Cookie",ngx.var.lmcookie)
|
||||
|
@ -49,16 +53,16 @@
|
|||
else
|
||||
break
|
||||
end
|
||||
i = i +1
|
||||
i = i + 1
|
||||
end
|
||||
i = 1
|
||||
while true do
|
||||
if ngx.var["deleteheader"..i] ~= nil then
|
||||
ngx.req.clear_header(ngx.var["deleteheader"..i])
|
||||
ngx.req.clear_header(ngx.var["deleteheader"..i])
|
||||
else
|
||||
break
|
||||
end
|
||||
i = i +1
|
||||
i = i + 1
|
||||
end
|
||||
';
|
||||
|
||||
|
|
|
@ -20,6 +20,13 @@ backups and a rollback plan ready!
|
|||
2.0.10
|
||||
------
|
||||
|
||||
A vulnerability affecting LemonLDAP::NG installations has been found out when ALL following criteria apply:
|
||||
|
||||
* Your handler server uses Nginx
|
||||
* Your virtual host configuration contains per-URL 'skip' or 'unprotect' access rule
|
||||
|
||||
In this situation, you have to update your LUA configuration file like ``/etc/nginx/nginx-lua-headers.conf``
|
||||
|
||||
- New dependency: IO::Socket::Timeout
|
||||
- TOTP check tolerates forward AND backward clock drift (totp2fRange)
|
||||
- Avoid assignment in expressions option is disabled by default
|
||||
|
|
|
@ -768,6 +768,7 @@ sub cleanHeaders {
|
|||
my ( $class, $req ) = @_;
|
||||
my $vhost = $class->resolveAlias($req);
|
||||
if ( defined( $class->tsv->{headerList}->{$vhost} ) ) {
|
||||
$class->logger->debug("Remove headers relative to $vhost");
|
||||
$class->unset_header_in( $req,
|
||||
@{ $class->tsv->{headerList}->{$vhost} } );
|
||||
}
|
||||
|
|
|
@ -5,7 +5,7 @@ package Lemonldap::NG::Handler::Server::Main;
|
|||
|
||||
use strict;
|
||||
|
||||
our $VERSION = '2.0.6';
|
||||
our $VERSION = '2.0.10';
|
||||
|
||||
use base 'Lemonldap::NG::Handler::PSGI::Main';
|
||||
|
||||
|
@ -25,13 +25,17 @@ sub set_header_in {
|
|||
push @{ $req->{respHeaders} }, %headers;
|
||||
}
|
||||
|
||||
## @method void unset_header_in(array headers)
|
||||
# deletes request headers and push headers that will be removed by LUA
|
||||
# @param headers array containing header names
|
||||
sub unset_header_in {
|
||||
my ( $class, $req, @headers ) = @_;
|
||||
$req->data->{deleteIndex} //= 1;
|
||||
my $i = $req->data->{deleteIndex};
|
||||
foreach my $header(@headers) {
|
||||
foreach my $header (@headers) {
|
||||
$class->logger->debug("Delete header $header");
|
||||
$req->{respHeaders} = [ grep { $_ ne $header and $_ ne cgiName($header) }
|
||||
$req->{respHeaders} =
|
||||
[ grep { $_ ne $header and $_ ne cgiName($header) }
|
||||
@{ $req->{respHeaders} } ];
|
||||
delete $req->{env}->{ cgiName($header) };
|
||||
push @{ $req->{respHeaders} }, "Deleteheader$i", $header;
|
||||
|
|
Loading…
Reference in New Issue