Commit graph

121 commits

Author SHA1 Message Date
Alexandre Aubin
ca7cf2c2cc Iterate on previous security fixes: ignore Auth header on PROPFIND routes, and don't drop Auth header which are not Basic auth 2023-01-10 14:10:40 +01:00
Alexandre Aubin
1f56a08621 security: Also check client-provided auth headers to prevent impersonation 2023-01-10 14:10:40 +01:00
selfhoster1312
7fc0350788 Authentication headers are ONLY set when user is logged in and has access to app
Prevents impersonating users on public applications where the auth headers were not cleared
2023-01-10 14:10:40 +01:00
Kay0u
981960fb50
Another fix for redirect function 2021-11-16 21:40:04 +01:00
Alexandre Aubin
325964742d
Improve check for unauthorized redirect url
Co-authored-by: Kayou <pierre@kayou.io>
2021-11-15 19:02:13 +01:00
Kayou
0e6369bb38
fix not only alphanumeric characters domain name 2021-11-15 00:49:51 +01:00
ljf (zamentur)
35ee437272
[fix] Avoid redirection on unmanaged domains (#191)
* [fix] Avoid redirection on unmanaged domains

* [fix] redirect with uri

* Update helpers.lua

Co-authored-by: Alexandre Aubin <alex.aubin@mailoo.org>
2021-09-19 21:15:54 +02:00
Alexandre Aubin
07378dfd46 Forgot to python -> python3 in password check 2021-08-15 21:41:50 +02:00
Alexandre Aubin
b28788d708 Improve logging when failing to authenticate ssowat cookies 2021-08-14 21:26:19 +02:00
ljf
c34d9fd74d [fix] Not enough random file name 2021-07-29 16:34:56 +02:00
ljf
8d0998bc3a [enh] Add comment 2021-07-02 19:51:02 +02:00
ljf
f6ddb7af65 [fix] Nextcloud calls strangely logout the user in SSO 2021-07-02 19:49:17 +02:00
ljf
6de4b10e81 [fix] Security risk due to cache full of different uris 2021-07-02 17:40:17 +02:00
ljf
b3741580da [fix] dash filename, mime types, ynh_userinfo.json 2021-06-29 18:34:40 +02:00
Alexandre Aubin
2e8c2f9c67
Merge pull request #183 from YunoHost/avoid-a-syscall-for-cookies
Avoid a syscall for cookies
2021-04-08 15:38:18 +02:00
Kay0u
45e4f9de05
avoid a syscall for cookies 2021-04-08 11:11:46 +02:00
Kay0u
24e7755e8a
remove SSOwAuthRedirect 2021-04-08 10:58:36 +02:00
Kay0u
6c4c1ca54d
Revert my stuff, just change the name of header to Proxy-Authorization + set is_logged_in to false by default 2020-12-24 17:49:24 +01:00
Kay0u
73c5524518
is_logged_in is false at the beginning of the refresh function 2020-12-24 10:20:29 +01:00
Kay0u
50db509330
revert: set "Authorization" headers not Proxy 2020-12-23 18:39:54 +01:00
Kay0u
0ff5cc6af7
Authorization -> Proxy-Authorization 2020-12-23 18:13:34 +01:00
Kay0u
a756462e6c
parse auth header at the end 2020-12-23 15:20:55 +01:00
Titoko
1747da0571 Update access.lua 2020-12-17 20:12:22 +01:00
titoko
2ca6847d4d
Update helpers.lua 2020-12-13 12:05:27 +01:00
titoko
a0129b437e
fix(Authorization): Skipped Autorization Header that are not Basic 2020-12-12 14:23:46 +01:00
Alexandre Aubin
6a7a9d668e Restore ngx logging used by fail2ban to detect failed logging attempt 2020-10-31 13:53:19 +01:00
Alexandre Aubin
ed6fa1aa49 Add a small helper to check if an element is in a table ... in turn fixing a bug related to calling has_access 2020-09-21 14:42:26 +02:00
Alexandre Aubin
41ed91bbcb Misc cosmetics / debug tweaks 2020-09-20 18:00:49 +02:00
Alexandre Aubin
a11d8f0d87 Move identification of relevant permission from helpers.lua to access.lua 2020-09-20 17:58:26 +02:00
Alexandre Aubin
abc38bbffe Move handling of login through HTTP headers to is_logged_in helper 2020-09-20 17:53:18 +02:00
Kay0u
41ac2e5bf8
Merge remote-tracking branch 'origin/dev' into permission_protection 2020-09-01 20:56:20 +02:00
Kay0u
fb45cd0441
do not compare the same thing several times 2020-06-18 14:48:14 +02:00
Kay0u
397f7b3910
authUser is defined only if authHash is accepted 2020-05-21 22:57:57 +02:00
Kay0u
6a240e1dea
better log message 2020-05-21 22:57:05 +02:00
SilverViper
728620778e
prevent SSOwAuthRedirect=;; 2020-04-30 17:39:07 +02:00
SilverViper
e4b415a64e
Remove all ;; in Set-Cookie 2020-04-30 15:45:41 +02:00
Laurent Peuch
e0a66428ea [fix] invalid more cookies 2020-04-17 00:56:40 +02:00
Kay0u
0fc89d0fc9
Rework access 2020-04-01 00:43:59 +02:00
Kay0u
d8c74604c0
portal with the new config file 2020-03-31 02:20:40 +02:00
Kay0u
8cc2bd4b28
Avoid unnecessarily reloading the config file 2020-03-29 18:02:49 +02:00
Kay0u
bf0dc73381
using permissions, not users directive 2020-03-04 11:34:24 +01:00
Kay0u
97620aaac7
Unused condition 2020-03-04 11:32:53 +01:00
Kay0u
af892991af
refactor legacy url protections 2020-02-13 10:06:32 +07:00
Kay0u
f74619020d
Fix if no permission exist 2020-01-29 18:24:25 +07:00
Kay0u
02b4ecec8c
Fix legacy/new permissions 2020-01-20 22:59:25 +07:00
Kay0u
19ae10200d
fix string.match 2020-01-17 14:56:32 +07:00
Alexandre Aubin
ff700062a5 At least one rule should exist + should be the longest match 2019-10-09 18:45:50 +02:00
Alexandre Aubin
a13a2fee1e More extensive check between allowed rules vs. protected rules 2019-10-03 23:11:52 +02:00
Alexandre Aubin
1eb322df17 Many tweaks in log system + implement many log messages in low-level functions 2019-10-03 20:42:01 +02:00
Alexandre Aubin
474b922089 Be consistent : either we use log() everywhere or we don't ... But imho just logger.info() is fine 2019-09-24 17:33:19 +02:00