Bug#1114979: trixie-pu: package lemonldap-ng/2.21.2+ds-1+deb13u
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: lemonldap-ng@packages.debian.org, yadd@debian.org
Control: affects -1 + src:lemonldap-ng
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Lemonldap-ng is vulnerable to 2 little security issues and one bug that
may block some users:
* #3445: Google OIDC authentication module fails with "No response type provided"
* #3446: [security:low] session id exposed in portal AJAX responses
* #3462: [security:low] Shell injection in Safe Jail
[ Impact ]
* Bug for people who want to use "authentify with Google"
* Low security issue when notification is used, admin can write files
with the www-data rights
* Low security issue, Ajax response contain a value (which exist in
cookie anyway)
[ Tests ]
Patches contain additional tests for this issue
[ Risks ]
Low risk: patches are trivial and lemonldap-ng has no reverse
dependencies and test coverage is good
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
Important: there are 2 options (exactly the same code):
- add 3 patches
- import 2.21.3
I joined the 2 debdiff to let you choose
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 211a03423..c32f0aff7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lemonldap-ng (2.21.2+ds-1+deb13u1) trixie; urgency=medium
+
+ * Fix shell injection from admin interface
+ * Don't expose session-id into Ajax responses
+ * Fix Google authentication
+
+ -- Yadd <yadd@debian.org> Fri, 12 Sep 2025 12:37:49 +0200
+
lemonldap-ng (2.21.2+ds-1) unstable; urgency=medium
* Update debian upstream keys
diff --git a/debian/patches/dont-expose-session-id-in-ajax-responses.patch b/debian/patches/dont-expose-session-id-in-ajax-responses.patch
new file mode 100644
index 000000000..57d0aab8d
--- /dev/null
+++ b/debian/patches/dont-expose-session-id-in-ajax-responses.patch
@@ -0,0 +1,37 @@
+Description: don't expose session id into Ajax responses
+Author: Yadd <yadd@debian.org>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/778
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3446
+Forwarded: not-needed
+Applied-Upstream: 2.21.3, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3446
+Last-Update: 2025-09-12
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
+@@ -679,6 +679,7 @@
+ ? $req->{sessionInfo}
+ : $req->{userData}
+ );
++ $req->data->{newAuth} = 1;
+ $self->auditLog(
+ $req,
+ message => (
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+@@ -195,7 +195,6 @@
+
+ sub authenticatedRequest {
+ my ( $self, $req ) = @_;
+- $req->data->{alreadyAuthenticated} = 1;
+ return $self->do(
+ $req,
+ [
+@@ -400,7 +399,7 @@
+ }
+ else {
+ my $res = { result => 1, error => $err };
+- unless ( $req->data->{alreadyAuthenticated} ) {
++ if ( $req->data->{newAuth} ) {
+ $res->{id} = $req->id;
+ $res->{id_http} = $req->sessionInfo->{_httpSession}
+ if $req->sessionInfo->{_httpSession};
diff --git a/debian/patches/fix-admin-shell-injection.patch b/debian/patches/fix-admin-shell-injection.patch
new file mode 100644
index 000000000..222da48f2
--- /dev/null
+++ b/debian/patches/fix-admin-shell-injection.patch
@@ -0,0 +1,41 @@
+Description: fix shell injection from admin interface (notifications
+Author: Maxime Besson <maxime.besson@worteks.com>
+Origin: upstream, commit:228d0194, commit:8b5ce4de
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3462
+Forwarded: not-needed
+Applied-Upstream: 2.21.3, commit:228d0194
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2025-09-12
+
+--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
++++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
+@@ -673,7 +673,7 @@
+ sub buildSub {
+ my ( $class, $val ) = @_;
+ my $res =
+- $class->tsv->{jail}->jail_reval("sub{my (\$r,\$s)=\@_;return($val)}");
++ $class->tsv->{jail}->jail_reval("sub{my (\$r,\$s)=\@_; local *_;return($val)}");
+ unless ($res) {
+ $class->logger->error( $class->tsv->{jail}->error );
+ }
+--- a/lemonldap-ng-handler/t/14-Lemonldap-NG-Handler-Rule-Building.t
++++ b/lemonldap-ng-handler/t/14-Lemonldap-NG-Handler-Rule-Building.t
+@@ -154,6 +154,18 @@
+ "0", "inDomain works for notexample.com" );
+ is( $r->( { env => { HTTP_HOST => "exampleacom" } }, {} ),
+ "0", "inDomain works for exampleacom" );
++
++ # Complex expressions
++ $r = compileRule('join(":",grep {$_ eq "a"} split(":", $list))');
++ is( ref($r), "CODE", "Returned code ref" );
++ is(
++ $r->(
++ { env => { HTTP_HOST => "AUTH.EXAMPLE.COM" } },
++ { list => "a:b:c:a:d:a" }
++ ),
++ "a:a:a"
++ );
++
+ }
+
+ sub runUnsafeTests {
diff --git a/debian/patches/fix-google-auth.patch b/debian/patches/fix-google-auth.patch
new file mode 100644
index 000000000..9781d3ba4
--- /dev/null
+++ b/debian/patches/fix-google-auth.patch
@@ -0,0 +1,45 @@
+Description: fix Google OIDC authentication
+Author: Maxime Besson <maxime.besson@worteks.com
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/777
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3445
+Forwarded: not-needed
+Applied-Upstream: 2.21.3, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/777
+Reviewed-By: <name and email of someone who approved/reviewed the patch>
+Last-Update: 2025-09-12
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
+@@ -2751,6 +2751,10 @@
+ sub exportRequestParameters {
+ my ( $self, $req ) = @_;
+
++ unless ( $self->ssoMatch($req) ) {
++ return PE_OK;
++ }
++
+ if ( my $p = $req->param('prompt') ) {
+ if ( $p eq 'none' ) {
+ return $self->_unauthPromptNone($req);
+--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
++++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
+@@ -466,6 +466,9 @@
+ openidconnectcallback => 1,
+ error => "canceled",
+ state => $state,
++
++ # 3445, make sure unwanted parameters don't confuse LLNG
++ prompt => "none",
+ },
+ accept => 'text/html',
+ ),
+@@ -551,6 +554,10 @@
+ return LLNG::Manager::Test->new( {
+ ini => {
+ logLevel => $debug,
++
++ # needed to to test #3445
++ issuerDBOpenIDConnectActivation => "1",
++
+ domain => 'rp.com',
+ portal => 'http://auth.rp.com/',
+ authentication => 'OpenIDConnect',
diff --git a/debian/patches/series b/debian/patches/series
index 8bfa6370a..eac41f673 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,6 @@ javascript-path.patch
Avoid-developer-tests.patch
replace-api-doc-by-link.diff
fix-makefile.patch
+fix-admin-shell-injection.patch
+dont-expose-session-id-in-ajax-responses.patch
+fix-google-auth.patch
diff --git a/changelog b/changelog
index a87a5b46c..0ab183f6d 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,12 @@
+lemonldap-ng (2.21.3) noble; urgency=medium
+
+ * Bugs:
+ * #3445: Google OIDC authentication module fails with "No response type provided"
+ * #3446: [security:medium] session id exposed in portal AJAX responses
+ * #3462: [security:low] Shell injection in Safe Jail
+
+ -- Clément <clem.oudot@gmail.com> Fri, 05 Sep 2025 17:58:17 +0200
+
lemonldap-ng (2.21.2) noble; urgency=medium
* Bugs:
diff --git a/codemeta.json b/codemeta.json
index be13d2257..08a573b4c 100644
--- a/codemeta.json
+++ b/codemeta.json
@@ -6,11 +6,11 @@
"contIntegration": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/pipelines";,
"dateCreated": "2004-01-01",
"datePublished": "2010-12-06",
- "dateModified": "2025-07-11",
+ "dateModified": "2025-09-05",
"downloadUrl": "https://lemonldap-ng.org/download.html";,
"issueTracker": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues";,
"name": "LemonLDAP::NG",
- "version": "2.21.2",
+ "version": "2.21.3",
"description": "LemonLDAP::NG is a complete and modular Web-SSO system that can run with reverse-proxies or directly on application webservers. It can be used in conjunction with OpenID-Connect, CAS and SAML systems as identity or service provider. It can also be used as proxy between those federation systems.\n\nIt manages both authentication and authorization and provides headers for accounting. So you can have a full AAA protection. Authorizations are built by associating a regular expression and a rule. Regular expression is applied on the requested URL and the rule calculates if the user is authorized.",
"applicationCategory": "WebSSO",
"developmentStatus": "active",
diff --git a/debian/changelog b/debian/changelog
index 53a486980..98e6a40d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+lemonldap-ng (2.21.3+ds-1~deb13u1) trixie; urgency=medium
+
+ * New upstream LTS release
+
+ -- Yadd <yadd@debian.org> Fri, 12 Sep 2025 12:40:05 +0200
+
lemonldap-ng (2.21.2+ds-2) unstable; urgency=medium
* Don't run tests when doc isn't built (Closes: #1114164)
diff --git a/lemonldap-ng-common/META.json b/lemonldap-ng-common/META.json
index 2270dab84..1312c9b7e 100644
--- a/lemonldap-ng-common/META.json
+++ b/lemonldap-ng-common/META.json
@@ -98,6 +98,6 @@
],
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org";
},
- "version" : "v2.21.2",
+ "version" : "v2.21.3",
"x_serialization_backend" : "JSON::PP version 4.16"
}
diff --git a/lemonldap-ng-common/META.yml b/lemonldap-ng-common/META.yml
index 71e47566e..6c8cb6859 100644
--- a/lemonldap-ng-common/META.yml
+++ b/lemonldap-ng-common/META.yml
@@ -74,5 +74,5 @@ resources:
bugtracker: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues
homepage: https://lemonldap-ng.org/
license: http://opensource.org/licenses/GPL-2.0
-version: v2.21.2
+version: v2.21.3
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common.pm
index 9ce55bc74..a9a326485 100644
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common.pm
@@ -1,6 +1,6 @@
package Lemonldap::NG::Common;
-our $VERSION = '2.21.2';
+our $VERSION = '2.21.3';
1;
__END__
diff --git a/lemonldap-ng-handler/META.json b/lemonldap-ng-handler/META.json
index e5e23e3b5..630e4684b 100644
--- a/lemonldap-ng-handler/META.json
+++ b/lemonldap-ng-handler/META.json
@@ -45,7 +45,7 @@
},
"requires" : {
"LWP::UserAgent" : "0",
- "Lemonldap::NG::Common" : "v2.21.2",
+ "Lemonldap::NG::Common" : "v2.21.3",
"Mouse" : "0",
"URI" : "0"
}
@@ -63,6 +63,6 @@
],
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org";
},
- "version" : "v2.21.2",
+ "version" : "v2.21.3",
"x_serialization_backend" : "JSON::PP version 4.16"
}
diff --git a/lemonldap-ng-handler/META.yml b/lemonldap-ng-handler/META.yml
index 4322597a1..8bcd0f112 100644
--- a/lemonldap-ng-handler/META.yml
+++ b/lemonldap-ng-handler/META.yml
@@ -30,7 +30,7 @@ recommends:
SOAP::Lite: '0'
requires:
LWP::UserAgent: '0'
- Lemonldap::NG::Common: v2.21.2
+ Lemonldap::NG::Common: v2.21.3
Mouse: '0'
URI: '0'
resources:
@@ -39,5 +39,5 @@ resources:
bugtracker: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues
homepage: https://lemonldap-ng.org/
license: http://opensource.org/licenses/GPL-2.0
-version: v2.21.2
+version: v2.21.3
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
diff --git a/lemonldap-ng-handler/Makefile.PL b/lemonldap-ng-handler/Makefile.PL
index 4336e5722..a08950e44 100644
--- a/lemonldap-ng-handler/Makefile.PL
+++ b/lemonldap-ng-handler/Makefile.PL
@@ -39,7 +39,7 @@ WriteMakefile(
},
},
PREREQ_PM => {
- 'Lemonldap::NG::Common' => '2.21.2',
+ 'Lemonldap::NG::Common' => '2.21.3',
'LWP::UserAgent' => 0,
'Mouse' => 0,
'URI' => 0,
diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler.pm
index 47eeb4791..66e8ff5ef 100644
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler.pm
@@ -3,7 +3,7 @@ package Lemonldap::NG::Handler;
# Use the appropriate handler
# For Apache, use Lemonldap::NG::Handler::ApacheMP2
-our $VERSION = '2.21.2';
+our $VERSION = '2.21.3';
1;
diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
index a30f9f89c..02169d8f0 100644
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
@@ -673,7 +673,7 @@ sub substitute {
sub buildSub {
my ( $class, $val ) = @_;
my $res =
- $class->tsv->{jail}->jail_reval("sub{my (\$r,\$s)=\@_;return($val)}");
+ $class->tsv->{jail}->jail_reval("sub{my (\$r,\$s)=\@_; local *_;return($val)}");
unless ($res) {
$class->logger->error( $class->tsv->{jail}->error );
}
diff --git a/lemonldap-ng-handler/t/14-Lemonldap-NG-Handler-Rule-Building.t b/lemonldap-ng-handler/t/14-Lemonldap-NG-Handler-Rule-Building.t
index 0b71953fb..62e700f98 100644
--- a/lemonldap-ng-handler/t/14-Lemonldap-NG-Handler-Rule-Building.t
+++ b/lemonldap-ng-handler/t/14-Lemonldap-NG-Handler-Rule-Building.t
@@ -154,6 +154,18 @@ sub runTests {
"0", "inDomain works for notexample.com" );
is( $r->( { env => { HTTP_HOST => "exampleacom" } }, {} ),
"0", "inDomain works for exampleacom" );
+
+ # Complex expressions
+ $r = compileRule('join(":",grep {$_ eq "a"} split(":", $list))');
+ is( ref($r), "CODE", "Returned code ref" );
+ is(
+ $r->(
+ { env => { HTTP_HOST => "AUTH.EXAMPLE.COM" } },
+ { list => "a:b:c:a:d:a" }
+ ),
+ "a:a:a"
+ );
+
}
sub runUnsafeTests {
@@ -173,7 +185,7 @@ eval { $h->localConfig($conf); $h->logLevelInit() };
ok( !$@, 'init' );
subtest "Safe jail off" => sub {
- plan tests => 35;
+ plan tests => 37;
ok( $h->configReload($conf), 'Load conf' );
is(
ref( $h->tsv->{jail}->jail ),
@@ -186,7 +198,7 @@ subtest "Safe jail off" => sub {
};
subtest "Safe jail on" => sub {
- plan tests => 33;
+ plan tests => 35;
ok( $h->configReload( { %$conf, useSafeJail => 1 } ), 'Load conf' );
is( ref( $h->tsv->{jail}->jail ), "Safe", "Safe jail is enabled" );
diff --git a/lemonldap-ng-manager/META.json b/lemonldap-ng-manager/META.json
index 6284ec5f8..71298432c 100644
--- a/lemonldap-ng-manager/META.json
+++ b/lemonldap-ng-manager/META.json
@@ -45,8 +45,8 @@
"Convert::PEM" : "0",
"Crypt::OpenSSL::RSA" : "0",
"LWP::UserAgent" : "0",
- "Lemonldap::NG::Common" : "v2.21.2",
- "Lemonldap::NG::Handler" : "v2.21.2"
+ "Lemonldap::NG::Common" : "v2.21.3",
+ "Lemonldap::NG::Handler" : "v2.21.3"
}
}
},
@@ -62,6 +62,6 @@
],
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org";
},
- "version" : "v2.21.2",
+ "version" : "v2.21.3",
"x_serialization_backend" : "JSON::PP version 4.16"
}
diff --git a/lemonldap-ng-manager/META.yml b/lemonldap-ng-manager/META.yml
index b78c50ce3..bd1eb3593 100644
--- a/lemonldap-ng-manager/META.yml
+++ b/lemonldap-ng-manager/META.yml
@@ -30,13 +30,13 @@ requires:
Convert::PEM: '0'
Crypt::OpenSSL::RSA: '0'
LWP::UserAgent: '0'
- Lemonldap::NG::Common: v2.21.2
- Lemonldap::NG::Handler: v2.21.2
+ Lemonldap::NG::Common: v2.21.3
+ Lemonldap::NG::Handler: v2.21.3
resources:
MailingList: mailto:lemonldap-ng-dev@ow2.org
X_twitter: https://twitter.com/lemonldapng
bugtracker: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues
homepage: https://lemonldap-ng.org/
license: http://opensource.org/licenses/GPL-2.0
-version: v2.21.2
+version: v2.21.3
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
diff --git a/lemonldap-ng-manager/Makefile.PL b/lemonldap-ng-manager/Makefile.PL
index d124e7386..73e3f695c 100644
--- a/lemonldap-ng-manager/Makefile.PL
+++ b/lemonldap-ng-manager/Makefile.PL
@@ -38,8 +38,8 @@ WriteMakefile(
PREREQ_PM => {
'Convert::PEM' => 0,
'Crypt::OpenSSL::RSA' => 0,
- 'Lemonldap::NG::Common' => '2.21.2',
- 'Lemonldap::NG::Handler' => '2.21.2',
+ 'Lemonldap::NG::Common' => '2.21.3',
+ 'Lemonldap::NG::Handler' => '2.21.3',
'LWP::UserAgent' => 0,
}, # e.g., Module::Name => 1.1
(
diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
index 5277f6cd0..180e5133f 100644
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
@@ -17,7 +17,7 @@ use JSON;
use Lemonldap::NG::Common::Conf::Constants;
use Lemonldap::NG::Common::PSGI::Constants;
-our $VERSION = '2.21.2';
+our $VERSION = '2.21.3';
extends qw(
Lemonldap::NG::Handler::PSGI::Router
diff --git a/lemonldap-ng-portal/META.json b/lemonldap-ng-portal/META.json
index 2212dc80c..5648a0bd3 100644
--- a/lemonldap-ng-portal/META.json
+++ b/lemonldap-ng-portal/META.json
@@ -94,7 +94,7 @@
},
"requires" : {
"Clone" : "0",
- "Lemonldap::NG::Handler" : "v2.21.2",
+ "Lemonldap::NG::Handler" : "v2.21.3",
"Regexp::Assemble" : "0"
}
}
@@ -111,6 +111,6 @@
],
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org";
},
- "version" : "v2.21.2",
+ "version" : "v2.21.3",
"x_serialization_backend" : "JSON::PP version 4.16"
}
diff --git a/lemonldap-ng-portal/META.yml b/lemonldap-ng-portal/META.yml
index e46027dae..a8cec41df 100644
--- a/lemonldap-ng-portal/META.yml
+++ b/lemonldap-ng-portal/META.yml
@@ -79,7 +79,7 @@ recommends:
Web::ID: '0'
requires:
Clone: '0'
- Lemonldap::NG::Handler: v2.21.2
+ Lemonldap::NG::Handler: v2.21.3
Regexp::Assemble: '0'
resources:
MailingList: mailto:lemonldap-ng-dev@ow2.org
@@ -87,5 +87,5 @@ resources:
bugtracker: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues
homepage: https://lemonldap-ng.org/
license: http://opensource.org/licenses/GPL-2.0
-version: v2.21.2
+version: v2.21.3
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
diff --git a/lemonldap-ng-portal/Makefile.PL b/lemonldap-ng-portal/Makefile.PL
index b9a6236c9..d97efa2d0 100644
--- a/lemonldap-ng-portal/Makefile.PL
+++ b/lemonldap-ng-portal/Makefile.PL
@@ -88,7 +88,7 @@ WriteMakefile(
},
PREREQ_PM => {
'Clone' => 0,
- 'Lemonldap::NG::Handler' => '2.21.2',
+ 'Lemonldap::NG::Handler' => '2.21.3',
'Regexp::Assemble' => 0,
},
(
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal.pm
index 1b73a6a8d..fcb2a2809 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal.pm
@@ -1,7 +1,7 @@
# Alias for Lemonldap::NG::Portal::Main
package Lemonldap::NG::Portal;
-our $VERSION = '2.21.2';
+our $VERSION = '2.21.3';
use Lemonldap::NG::Portal::Main;
use base 'Lemonldap::NG::Portal::Main';
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
index 69eeca89b..a4ef6c2d6 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
@@ -2751,6 +2751,10 @@ sub metadata {
sub exportRequestParameters {
my ( $self, $req ) = @_;
+ unless ( $self->ssoMatch($req) ) {
+ return PE_OK;
+ }
+
if ( my $p = $req->param('prompt') ) {
if ( $p eq 'none' ) {
return $self->_unauthPromptNone($req);
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
index d1bad932d..4008c0f09 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
@@ -679,6 +679,7 @@ sub buildCookie {
? $req->{sessionInfo}
: $req->{userData}
);
+ $req->data->{newAuth} = 1;
$self->auditLog(
$req,
message => (
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
index 129813586..d8dd1fcba 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
@@ -195,7 +195,6 @@ sub postLogin {
sub authenticatedRequest {
my ( $self, $req ) = @_;
- $req->data->{alreadyAuthenticated} = 1;
return $self->do(
$req,
[
@@ -400,7 +399,7 @@ sub do {
}
else {
my $res = { result => 1, error => $err };
- unless ( $req->data->{alreadyAuthenticated} ) {
+ if ( $req->data->{newAuth} ) {
$res->{id} = $req->id;
$res->{id_http} = $req->sessionInfo->{_httpSession}
if $req->sessionInfo->{_httpSession};
diff --git a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
index d70d083cd..b356565a9 100644
--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
+++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
@@ -448,6 +448,9 @@ ok(
openidconnectcallback => 1,
error => "canceled",
state => $state,
+
+ # 3445, make sure unwanted parameters don't confuse LLNG
+ prompt => "none",
},
accept => 'text/html',
),
@@ -551,6 +554,10 @@ sub rp {
return LLNG::Manager::Test->new( {
ini => {
logLevel => $debug,
+
+ # needed to to test #3445
+ issuerDBOpenIDConnectActivation => "1",
+
domain => 'rp.com',
portal => 'http://auth.rp.com/',
authentication => 'OpenIDConnect',
diff --git a/scripts/ci-build-deb b/scripts/ci-build-deb
new file mode 100755
index 000000000..4e8829ce6
--- /dev/null
+++ b/scripts/ci-build-deb
@@ -0,0 +1,24 @@
+#!/bin/sh
+set -xe
+
+. /etc/os-release
+dist=${ID:-unknown}
+ver=${VERSION_CODENAME:-unknown}
+
+export DEBIAN_FRONTEND=noninteractive
+
+apt update --allow-releaseinfo-change
+apt -y install devscripts dpkg-dev equivs
+mk-build-deps --install --remove \
+ --tool "apt-get -o Debug::pkgProblemResolver=yes -q -y" \
+ debian/control
+
+# Install additional libs
+apt install -y tzdata
+apt install -y libgeoip2-perl || true
+apt install -y libhttp-browserdetect-perl || true
+
+make debian-packages
+
+mkdir -p "result/$dist/$ver/"
+cp /tmp/*deb "result/$dist/$ver/"
diff --git a/scripts/ci-build-rpm b/scripts/ci-build-rpm
new file mode 100755
index 000000000..181af6704
--- /dev/null
+++ b/scripts/ci-build-rpm
@@ -0,0 +1,37 @@
+#!/bin/sh
+set -xe
+
+. /etc/os-release
+dist=${ID:unknown}
+ver=$(rpm --eval '%{rhel}')
+
+# Replace deprecated mirrors
+if [ $dist = "centos" ] ; then
+ sed -i 's/mirror\.centos\.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-*.repo
+ sed -i 's/^#.*baseurl=http/baseurl=http/g' /etc/yum.repos.d/CentOS-*.repo
+ sed -i 's/^mirrorlist=http/#mirrorlist=http/g' /etc/yum.repos.d/CentOS-*.repo
+ alias dnf=yum
+fi
+
+dnf -y install epel-release make rpm-build
+[ -x /usr/bin/crb ] && crb enable
+
+make dist
+
+mkdir -p /root/rpmbuild/SOURCES
+cp lemonldap-ng-*.tar.gz /root/rpmbuild/SOURCES/
+
+# Install build dependencies
+# On some EL versions, a second run is needed
+if [ "$ver" -lt "8" ] ; then
+ yum-builddep -y rpm/lemonldap-ng.spec
+ yum-builddep -y rpm/lemonldap-ng.spec
+else
+ dnf -y builddep rpm/lemonldap-ng.spec
+ dnf -y builddep rpm/lemonldap-ng.spec
+fi
+
+rpmbuild -ba rpm/lemonldap-ng.spec
+
+mkdir -p "result/$dist/$ver/"
+cp /root/rpmbuild/RPMS/noarch/*rpm "result/$dist/$ver/"
diff --git a/scripts/generate-changelog.pl b/scripts/generate-changelog.pl
index 306075f24..fd939a347 100755
--- a/scripts/generate-changelog.pl
+++ b/scripts/generate-changelog.pl
@@ -12,7 +12,7 @@
use LWP::UserAgent;
use JSON;
-my $milestone = '2.21.2';
+my $milestone = '2.21.3';
my @cat = ( 'Bug', 'New feature', 'Improvement', 'Template', 'WebServer Conf' );
open F, "$ENV{HOME}/.ow2-token" or die "Unable to get OW2 token ($!)";
diff --git a/scripts/sonar b/scripts/sonar
index 8432e8113..2ef4a6aa6 100755
--- a/scripts/sonar
+++ b/scripts/sonar
@@ -1,6 +1,7 @@
#!/bin/sh
apt update --allow-releaseinfo-change
+apt -y install devscripts dpkg-dev
mk-build-deps --install --remove \
--tool "apt-get -o Debug::pkgProblemResolver=yes -q -y" \
debian/control
Reply to: