WIP - checkUser Improve code (#1658)

2019-02-25 20:11:32 +01:00 · 2019-02-25 20:11:32 +01:00 · f702664409
commit f702664409
parent 1ea6e92533
1 changed files with 45 additions and 39 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm
@ -51,38 +51,28 @@ sub check {
    # Check token
    if ( $self->conf->{requireToken} ) {
        my $token = $req->param('token');
+        my $msg   = '';
        unless ($token) {
            $self->userLogger->warn('CheckUser try without token');
-my $token = $self->ott->createToken( $req->sessionInfo );
-            #return $self->p->sendError( $req, 'Unable to build Metadata' );
-            return $self->p->sendHtml(
-                $req,
-                'checkuser',
-                params => {
-                    PORTAL    => $self->conf->{portal},
-                    MAIN_LOGO => $self->conf->{portalMainLogo},
-                    LANGS     => $self->conf->{showLanguages},
-                    MSG       => 'CheckUser try without token',
-                    TOKEN      => $token,
-                }
-            );
+            $msg   = PE_NOTOKEN;
+            $token = $self->ott->createToken( $req->sessionInfo );
        }
        unless ( $self->ott->getToken($token) ) {
            $self->userLogger->warn('Ask try with expired/bad token');
-my $token = $self->ott->createToken( $req->sessionInfo );
-            #return $self->p->sendError( $req, 'Unable to build Metadata' );
-            return $self->p->sendHtml(
-                $req,
-                'checkuser',
-                params => {
-                    PORTAL    => $self->conf->{portal},
-                    MAIN_LOGO => $self->conf->{portalMainLogo},
-                    LANGS     => $self->conf->{showLanguages},
-                    MSG       => 'Ask try with expired/bad token',
-                    TOKEN      => $token,
-                }
-            );
+            $msg   = PE_TOKENEXPIRED;
+            $token = $self->ott->createToken( $req->sessionInfo );
        }
+        return $self->p->sendHtml(
+            $req,
+            'checkuser',
+            params => {
+                PORTAL    => $self->conf->{portal},
+                MAIN_LOGO => $self->conf->{portalMainLogo},
+                LANGS     => $self->conf->{showLanguages},
+                MSG       => "PE$msg",
+                TOKEN     => $token,
+            }
+        ) if $msg;
    }

    ## Check user session datas
@ -100,9 +90,15 @@ my $token = $self->ott->createToken( $req->sessionInfo );
    foreach my $k ( sort keys %$attrs ) {
        $self->logger->debug("Delete hidden attributes");

-        # Ignore hidden attributes
-        push @$array_attrs, { key => $k, value => $attrs->{$k} }
-            unless ( $self->hAttr =~ /\b$k\b/ or !$attrs->{$k} );
+        # Ignore hidden attributes or empty values
+        if ( $self->conf->{checkUserDisplayEmptyValues} ) {
+            push @$array_attrs, { key => $k, value => $attrs->{$k} }
+                unless ( $self->hAttr =~ /\b$k\b/ );
+        }
+        else {
+            push @$array_attrs, { key => $k, value => $attrs->{$k} }
+                unless ( $self->hAttr =~ /\b$k\b/ or !$attrs->{$k} );
+        }
    }

    # Check if user is allowed to access submitted URL and compute headers
@ -112,7 +108,7 @@ my $token = $self->ott->createToken( $req->sessionInfo );
        $auth = $self->_authorization( $req, $url );
        $self->logger->debug(
            "checkUser requested for user: $req->{user} and URL: $url");
-        $result = $auth ? "ALLOWED" : "FORBIDDEN";
+        $result = $auth ? "allowed" : "forbidden";
        $self->userLogger->notice(
            "checkUser -> $req->{user} is $result to access: $url");

@ -126,12 +122,18 @@ my $token = $self->ott->createToken( $req->sessionInfo );
        $req,
        'checkuser',
        params => {
-            PORTAL     => $self->conf->{portal},
-            MAIN_LOGO  => $self->conf->{portalMainLogo},
-            LANGS      => $self->conf->{showLanguages},
-            MSG        => $msg,
-            LOGIN      => $req->{user},
-            URL        => $url,
+            PORTAL    => $self->conf->{portal},
+            MAIN_LOGO => $self->conf->{portalMainLogo},
+            LANGS     => $self->conf->{showLanguages},
+            MSG       => $msg,
+            LOGIN     => (
+                  $self->p->checkXSSAttack( 'LOGIN', $req->{user} ) ? ""
+                : $req->{user}
+            ),
+            URL => (
+                  $self->p->checkXSSAttack( 'URL', $url ) ? ""
+                : $url
+            ),
            ALLOWED    => $result,
            HEADERS    => $array_hdrs,
            ATTRIBUTES => $array_attrs,
@ -153,8 +155,12 @@ sub display {
            MAIN_LOGO => $self->conf->{portalMainLogo},
            LANGS     => $self->conf->{showLanguages},
            MSG       => 'checkUser',
-            LOGIN     => $req->{user},
-            TOKEN     => $token,
+            LOGIN     => (
+                $self->p->checkXSSAttack( 'LOGIN', $req->{user} )
+                ? ""
+                : $req->{user}
+            ),
+            TOKEN => $token,
        }
    );
 }
@ -164,7 +170,7 @@ sub _userDatas {

    # Search user in database
    my $steps = [ 'getUser', 'setSessionInfo', 'setMacros', 'setGroups' ];
-    1
+    $self->conf->{checkUserDisplayPersistentInfo}
        ? push @$steps, 'setPersistentSessionInfo', 'setLocalGroups'
        : push @$steps, 'setLocalGroups';
    $req->steps($steps);