Bug#928944: CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB

Wed, 22 May 2019 04:51:42 -0700 

On Wed, 22 May 2019 at 07:34:06 +0200, Xavier wrote:
> It seems that Clément has fixed something related to that feature.
> Could you try 
> https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/deff50f072c64898d1204daa28c01fdcc7275ea4
>  ?

That solves the issue indeed, thanks for the pointer!  I ended up
amending the patch as attached though:

 * Not setting the ‘Access-Control-Allow-Origin: *’ header is upstream
   issue #1519, fixed in e6c034a38aa0e7dadcf0ce87809193b327fbc0e5.

 * The second to last hunk from deff50f072c64898d1204daa28c01fdcc7275ea4
   (-2134,8 +2137,10) doesn't apply, and as it's only cosmetic
   (whitespace change) I just skipped it.

Cheers,
-- 
Guilhem.

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
@@ -1049,7 +1049,7 @@ sub updatePersistentSession {
 
 }
 
-## @method void updateSession(hashRef infos, string id)
+## @method void updateSession(hashRef infos, string id, string kind)
 # Update session stored.
 # If no id is given, try to get it from cookie.
 # If the session is available, update datas with $info.
@@ -1057,9 +1057,10 @@ sub updatePersistentSession {
 # server local cache, if there are several LL::NG servers.
 # @param infos hash reference of information to update
 # @param id Session ID
+# @param kind Session kind
 # @return nothing
 sub updateSession {
-    my ( $self, $infos, $id ) = @_;
+    my ( $self, $infos, $id, $kind ) = @_;
 
     # Return if no infos to update
     return () unless ( ref $infos eq 'HASH' and %$infos );
@@ -1084,7 +1085,9 @@ sub updateSession {
         }
 
         # Update session in global storage
-        if ( my $apacheSession = $self->getApacheSession( $id, 1 ) ) {
+        if ( my $apacheSession =
+            $self->getApacheSession( $id, 1, undef, $kind ) )
+        {
 
             # Store updateTime
             $infos->{updateTime} = strftime( "%Y%m%d%H%M%S", localtime() );
@@ -1567,9 +1570,8 @@ sub process {
     {
         if ( ( my $code = $self->{error} ) > 0 ) {
             print $self->header(
-                -status                        => '401 Unauthorizated',
-                '-WWW-Authenticate'            => "SSO $self->{portal}",
-                '-Access-Control-Allow-Origin' => '*',
+                -status             => '401 Unauthorizated',
+                '-WWW-Authenticate' => "SSO $self->{portal}",
             );
             $self->quit;
         }
@@ -2744,7 +2746,7 @@ sub autoRedirect {
                     $cdaInfos->{cookie_name} = $self->{cookieName} . "http";
                 }
 
-                $self->updateSession( $cdaInfos, $cdaSession->id );
+                $self->updateSession( $cdaInfos, $cdaSession->id, "CDA" );
 
                 $self->{urldc} .=
                     ( $self->{urldc} =~ /\?/ ? '&' : '?' )

Attachment: signature.asc
Description: PGP signature

Reply via email to