Update changelog

Add warning message about yunohost version being obsolete (#113 )
[fix] CVE-2018-11347 http header injection
2024-09-03 20:06:27 +02:00 · 2019-01-08 18:06:37 +01:00 · 2018-12-18 16:15:08 +01:00 · 2018-12-06 23:21:13 +01:00 · 2018-11-04 16:20:24 +01:00 · 2017-09-16 19:22:47 +02:00
6 changed files with 32 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -66,7 +66,7 @@ If you use YunoHost, you may want to edit the `/etc/ssowat/conf.json.persistent`

 ## Available parameters

-These are the SSOwat's configuration parameters. Only `portal_domain` and `skipped_urls` are required, but it is recommended to know the others to fully understand what you can do with SSOwat.
+These are the SSOwat's configuration parameters. Only `portal_domain` is required, but it is recommended to know the others to fully understand what you can do with SSOwat.

 #### portal_domain

@ -104,6 +104,10 @@ LDAP user identifier (**default**: `uid`)

 User's attributes to fetch from LDAP (**default**: `["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]`)

+#### ldap_enforce_crypt
+
+Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (**default**: `true`)
+
 #### allow_mail_authentication

 Whether users can authenticate with their mail address (**default**: `true`)
--- a/config.lua
+++ b/config.lua
@ -50,6 +50,8 @@ function get_config()
        ldap_host                 = "localhost",
        ldap_group                = "ou=users,dc=yunohost,dc=org",
        ldap_identifier           = "uid",
+        ldap_enforce_crypt        = true,
+        skipped_urls              = {},
        ldap_attributes           = {"uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"},
        allow_mail_authentication = true,
        default_language          = "en"
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,11 @@
+ssowat (2.7.15) stable; urgency=low
+
+  * Add a warning about Jessie being deprecated and encouragement to migrate
+    to Stretch / 3.x
+  * [fix] CVE-2018-11347 http header injection (by Bram)
+
+ -- Alexandre Aubin <alex.aubin@mailoo.org>  Tue, 08 Jan 2019 18:00:00 +0000
+
 ssowat (2.7.14) stable; urgency=low

  * Make tile dragging work on mobile devices
--- a/helpers.lua
+++ b/helpers.lua
@ -293,7 +293,9 @@ function authenticate(user, password)
    -- cache shared table in order to eventually reuse it later when updating
    -- profile information or just passing credentials to an application.
    if connected then
-        ensure_user_password_uses_strong_hash(connected, user, password)
+        if conf['ldap_enforce_crypt'] then
+            ensure_user_password_uses_strong_hash(connected, user, password)
+        end
        cache:add(user.."-password", password, conf["session_timeout"])
        ngx.log(ngx.NOTICE, "Connected as: "..user)
        return user
@ -575,12 +577,13 @@ end
 -- if it's not the case, it migrates the password to this new hash algorithm
 function ensure_user_password_uses_strong_hash(ldap, user, password)
    local current_hashed_password = nil
+    conf = config.get_config()

    for dn, attrs in ldap:search {
-        base = "ou=users,dc=yunohost,dc=org",
+        base = conf['ldap_group'],
        scope = "onelevel",
        sizelimit = 1,
-        filter = "(uid="..user..")",
+        filter = "("..conf['ldap_identifier'].."="..user..")",
        attrs = {"userPassword"}
    } do
        current_hashed_password = attrs["userPassword"]:sub(0, 10)
@ -866,6 +869,14 @@ function login()
    -- Forward the `r` URI argument if it exists to redirect
    -- the user properly after a successful login.
    if uri_args.r then
+        -- If `uri_args.r` contains line break, someone is probably trying to
+        -- pass some additional headers
+        if string.match(uri_args.r, "(.*)\n") then
+            flash("fail", t("redirection_error_invalid_url"))
+            ngx.log(ngx.ERR, "Redirection url is invalid")
+            return redirect(conf.portal_url)
+        end
+
        return redirect(conf.portal_url.."?r="..uri_args.r)
    else
        return redirect(conf.portal_url)
--- a/portal/info.html
+++ b/portal/info.html
@ -1,3 +1,5 @@
+<div class="wrapper messages warning">{{t_obsolete_version}}</div>
+
 <div class="ynh-wrapper user">
  <ul class="user-menu">
    <li><a class="icon icon-connexion" href="?action=logout">{{t_logout}}</a></li>
--- a/portal/locales/en.json
+++ b/portal/locales/en.json
@ -19,6 +19,7 @@
   "confirm": "Confirm",
   "login": "Login",
   "logout": "Logout",
+   "obsolete_version": "The version of YunoHost running on this server is obsolete and should be upgraded to YunoHost 3.x / Stretch. Please contact your administrator about this.",
   "password_changed": "Password successfully changed",
   "password_changed_error": "An error occurred on password changing",
   "password_not_match": "New passwords don't match",
Author	SHA1	Message	Date
Alexandre Aubin	59ac673ef6	Update changelog	2019-01-08 18:06:37 +01:00
Alexandre Aubin	e76d9eb69c	Add warning message about yunohost version being obsolete (#113 )	2018-12-18 16:15:08 +01:00
Laurent Peuch	fe3d445507	[fix] CVE-2018-11347 http header injection	2018-12-06 23:21:13 +01:00
Alexandre Aubin	23bde07c9b	Merge pull request #92 from tYYGH/PR_choiceRewritePW+fixes 1º Let the admin choose if the passwords should be overwriten using crypt; 2º minor fixes	2018-11-04 16:20:24 +01:00
Y	db9059a55c	let the admin decide how passwords are handled	2017-09-16 19:22:47 +02:00
Y	6b6fd09f34	portal_path must end with /	2017-09-16 18:51:57 +02:00