From fbf7901d126c69efa0f8a65c2e153a1327e3e399 Mon Sep 17 00:00:00 2001
From: Christophe Maudoux <chrmdx@gmail.com>
Date: Thu, 14 Jan 2021 22:17:50 +0100
Subject: [PATCH] Tidy & append release note

---
 _example/etc/nginx-lua-headers.conf                  | 12 ++++++++----
 doc/sources/admin/upgrade_2_0_x.rst                  |  7 +++++++
 .../lib/Lemonldap/NG/Handler/Main/Run.pm             |  1 +
 .../lib/Lemonldap/NG/Handler/Server/Main.pm          | 10 +++++++---
 4 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/_example/etc/nginx-lua-headers.conf b/_example/etc/nginx-lua-headers.conf
index 5a79ab4a6..bd378b3d5 100644
--- a/_example/etc/nginx-lua-headers.conf
+++ b/_example/etc/nginx-lua-headers.conf
@@ -28,7 +28,6 @@
     auth_request_set $headervalue14 $upstream_http_headervalue14;
     auth_request_set $headername15 $upstream_http_headername15;
     auth_request_set $headervalue15 $upstream_http_headervalue15;
-    auth_request_set $lmcookie $upstream_http_cookie;
     auth_request_set $deleteheader1 $upstream_http_deleteheader1;
     auth_request_set $deleteheader2 $upstream_http_deleteheader2;
     auth_request_set $deleteheader3 $upstream_http_deleteheader3;
@@ -40,6 +39,11 @@
     auth_request_set $deleteheader9 $upstream_http_deleteheader9;
     auth_request_set $deleteheader10 $upstream_http_deleteheader10;
     auth_request_set $deleteheader11 $upstream_http_deleteheader11;
+    auth_request_set $deleteheader12 $upstream_http_deleteheader12;
+    auth_request_set $deleteheader13 $upstream_http_deleteheader13;
+    auth_request_set $deleteheader14 $upstream_http_deleteheader14;
+    auth_request_set $deleteheader15 $upstream_http_deleteheader15;
+    auth_request_set $lmcookie $upstream_http_cookie;
     access_by_lua '
       local i = 1
       ngx.req.set_header("Cookie",ngx.var.lmcookie)
@@ -49,16 +53,16 @@
         else
           break
         end
-        i = i +1
+        i = i + 1
       end
       i = 1
       while true do
         if ngx.var["deleteheader"..i] ~= nil then
-	  ngx.req.clear_header(ngx.var["deleteheader"..i])
+	      ngx.req.clear_header(ngx.var["deleteheader"..i])
         else
           break
         end
-        i = i +1
+        i = i + 1
       end
     ';
 
diff --git a/doc/sources/admin/upgrade_2_0_x.rst b/doc/sources/admin/upgrade_2_0_x.rst
index b62cde1cd..7766de4df 100644
--- a/doc/sources/admin/upgrade_2_0_x.rst
+++ b/doc/sources/admin/upgrade_2_0_x.rst
@@ -20,6 +20,13 @@ backups and a rollback plan ready!
 2.0.10
 ------
 
+A vulnerability affecting LemonLDAP::NG installations has been found out when ALL following criteria apply:
+
+* Your handler server uses Nginx
+* Your virtual host configuration contains per-URL 'skip' or 'unprotect' access rule
+
+In this situation, you have to update your LUA configuration file like ``/etc/nginx/nginx-lua-headers.conf``
+
 - New dependency: IO::Socket::Timeout
 - TOTP check tolerates forward AND backward clock drift (totp2fRange)
 - Avoid assignment in expressions option is disabled by default
diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
index 332913f9d..d7e7b7e49 100644
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
@@ -768,6 +768,7 @@ sub cleanHeaders {
     my ( $class, $req ) = @_;
     my $vhost = $class->resolveAlias($req);
     if ( defined( $class->tsv->{headerList}->{$vhost} ) ) {
+        $class->logger->debug("Remove headers relative to $vhost");
         $class->unset_header_in( $req,
             @{ $class->tsv->{headerList}->{$vhost} } );
     }
diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Server/Main.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Server/Main.pm
index 090f2c7e5..788983a4b 100644
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Server/Main.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Server/Main.pm
@@ -5,7 +5,7 @@ package Lemonldap::NG::Handler::Server::Main;
 
 use strict;
 
-our $VERSION = '2.0.6';
+our $VERSION = '2.0.10';
 
 use base 'Lemonldap::NG::Handler::PSGI::Main';
 
@@ -25,13 +25,17 @@ sub set_header_in {
     push @{ $req->{respHeaders} }, %headers;
 }
 
+## @method void unset_header_in(array headers)
+# deletes request headers and push headers that will be removed by LUA
+# @param headers array containing header names
 sub unset_header_in {
     my ( $class, $req, @headers ) = @_;
     $req->data->{deleteIndex} //= 1;
     my $i = $req->data->{deleteIndex};
-    foreach my $header(@headers) {
+    foreach my $header (@headers) {
         $class->logger->debug("Delete header $header");
-        $req->{respHeaders} = [ grep { $_ ne $header and $_ ne cgiName($header) }
+        $req->{respHeaders} =
+          [ grep { $_ ne $header and $_ ne cgiName($header) }
               @{ $req->{respHeaders} } ];
         delete $req->{env}->{ cgiName($header) };
         push @{ $req->{respHeaders} }, "Deleteheader$i", $header;