_example/etc/manager-nginx.conf | 6 3 + 3 - 0 !
_example/etc/portal-nginx.conf | 6 3 + 3 - 0 !
2 files changed, 6 insertions(+), 6 deletions(-)

 preserve javascript-common path

lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t | 2 1 + 1 - 0 !
lemonldap-ng-handler/t/61-Lemonldap-NG-Handler-PSGI-Server.t | 2 1 + 1 - 0 !
lemonldap-ng-handler/t/62-Lemonldap-NG-Handler-Nginx.t | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 avoid some heavy developer tests

Makefile | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 restore directory removed during import

doc/index.html | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 replace api doc by external link
 api is a compiled webpage (swagger-codegen). Since there is now good
 Open-API doc generator in Debian archive, this doc is excluded and
 replaced by a link to upstream website

lemonldap-ng-portal/t/02-Password-Demo-checkHIBP.t | 58 1 + 57 - 0 !
1 file changed, 1 insertion(+), 57 deletions(-)

 drop network test

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix bad jwt header

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm | 2 1 + 1 - 0 !
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+), 1 deletion(-)

 .
 * Configure Auth::OIDC with an OP that always returns acr: 1 in the ID token
 * Set oidcOPMetaDataOptionsAcrValues to loa-1
 ACR value 1 is accepted despite not being part of the list ['loa-1']
 .
 The problem is in this regexp:
 .
   unless ( $acr_values =~ /\b$acr\b/i ) {
 .
 because \b matches too many things (in the example: it matches -)

doc/sources/admin/viewer.rst | 4 2 + 2 - 0 !
lemonldap-ng-manager/site/coffee/viewer.coffee | 4 2 + 2 - 0 !
2 files changed, 4 insertions(+), 4 deletions(-)

 fix viewer endpoint
 Regression introduced in 2.16.1

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Slave.pm | 7 6 + 1 - 0 !
lemonldap-ng-portal/t/25-AuthSlave-with-Credentials.t | 24 23 + 1 - 0 !
2 files changed, 29 insertions(+), 2 deletions(-)

 [security] apply user-control to authslave

lemonldap-ng-handler/lib/Lemonldap/NG/Handler/ApacheMP2/Main.pm | 3 2 + 1 - 0 !
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm | 3 2 + 1 - 0 !
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm | 6 5 + 1 - 0 !
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm | 4 3 + 1 - 0 !
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm | 3 2 + 1 - 0 !
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm | 2 1 + 1 - 0 !
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm | 1 1 + 0 - 0 !
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm | 11 9 + 2 - 0 !
lemonldap-ng-portal/t/03-XSS-protection.t | 60 42 + 18 - 0 !
9 files changed, 67 insertions(+), 26 deletions(-)

 fix open redirection

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm | 7 7 + 0 - 0 !
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-OP-logout.t | 2 2 + 0 - 0 !
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-jwt-userinfo.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-public_client.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-authchoice.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-info.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-none-alg.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-hybrid.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-implicit-no-token.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-implicit.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/32-OIDC-Code-Flow-with-2F-UpgradeOnly.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/32-OIDC-Code-Flow-with-2F.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/32-OIDC-Hooks.t | 1 1 + 0 - 0 !
lemonldap-ng-portal/t/32-OIDC-Logout-from-RP-bypass-confirm.t | 2 2 + 0 - 0 !
lemonldap-ng-portal/t/32-OIDC-Logout-redirect-uri-not-allowed.t | 2 2 + 0 - 0 !
lemonldap-ng-portal/t/32-OIDC-Macro.t | 1 1 + 0 - 0 !
lemonldap-ng-portal/t/32-OIDC-Offline-Session.t | 2 1 + 1 - 0 !
lemonldap-ng-portal/t/32-OIDC-Refresh-Token.t | 1 1 + 0 - 0 !
lemonldap-ng-portal/t/32-OIDC-Token-Exchange.t | 1 1 + 0 - 0 !
lemonldap-ng-portal/t/32-OIDC-Token-Introspection.t | 1 1 + 0 - 0 !
lemonldap-ng-portal/t/32-OIDC-Token-Security.t | 10 6 + 4 - 0 !
lemonldap-ng-portal/t/32-OIDC-redirect_uri-filter.t | 252 252 + 0 - 0 !
lemonldap-ng-portal/t/37-Issuer-Timeout.t | 8 6 + 2 - 0 !
lemonldap-ng-portal/t/37-Logout-from-OIDC-RP-to-SAML-IDP-Redirect.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/37-Logout-from-OIDC-RP-to-SAML-IDP-SOAP.t | 2 2 + 0 - 0 !
lemonldap-ng-portal/t/37-Logout-from-OIDC-RP-to-SAML-SP.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-GET-with-WAYF.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-GET.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-POST.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/37-SAML-SP-GET-to-OIDC-OP.t | 4 3 + 1 - 0 !
lemonldap-ng-portal/t/37-SAML-SP-POST-to-OIDC-OP.t | 13 6 + 7 - 0 !
32 files changed, 342 insertions(+), 31 deletions(-)

 fix open redirection when oidc rp has no oidcrpmetadataoptionsredirecturis
 This issue concerns only people that modify config by hand. The manager
 refuses already a relying party without redirect URIs.

doc/sources/admin/idpopenidconnect.rst | 5 5 + 0 - 0 !
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm | 1 1 + 0 - 0 !
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm | 1 1 + 0 - 0 !
lemonldap-ng-manager/site/htdocs/static/languages/ar.json | 1 1 + 0 - 0 !
lemonldap-ng-manager/site/htdocs/static/languages/en.json | 1 1 + 0 - 0 !
lemonldap-ng-manager/site/htdocs/static/languages/es.json | 1 1 + 0 - 0 !
lemonldap-ng-manager/site/htdocs/static/languages/fr.json | 1 1 + 0 - 0 !
lemonldap-ng-manager/site/htdocs/static/languages/he.json | 1 1 + 0 - 0 !
lemonldap-ng-manager/site/htdocs/static/languages/it.json | 1 1 + 0 - 0 !
lemonldap-ng-manager/site/htdocs/static/languages/pl.json | 1 1 + 0 - 0 !
lemonldap-ng-manager/site/htdocs/static/languages/pt.json | 1 1 + 0 - 0 !
lemonldap-ng-manager/site/htdocs/static/languages/pt_BR.json | 1 1 + 0 - 0 !
lemonldap-ng-manager/site/htdocs/static/languages/tr.json | 1 1 + 0 - 0 !
lemonldap-ng-manager/site/htdocs/static/languages/vi.json | 1 1 + 0 - 0 !
lemonldap-ng-manager/site/htdocs/static/languages/zh.json | 1 1 + 0 - 0 !
lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/MANIFEST | 1 1 + 0 - 0 !
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm | 300 170 + 130 - 0 !
lemonldap-ng-portal/t/32-OIDC-Request-Uri.t | 200 200 + 0 - 0 !
19 files changed, 391 insertions(+), 130 deletions(-)

 fix ssrf vulnerability
 Issue described here: https://security.lauritz-holtmann.de/post/sso-security-ssrf/

lemonldap-ng-portal/site/coffee/portal.coffee | 9 3 + 6 - 0 !
lemonldap-ng-portal/site/templates/bootstrap/checkuser.tpl | 2 1 + 1 - 0 !
lemonldap-ng-portal/site/templates/bootstrap/globallogout.tpl | 2 1 + 1 - 0 !
lemonldap-ng-portal/site/templates/bootstrap/gpgform.tpl | 2 1 + 1 - 0 !
lemonldap-ng-portal/site/templates/bootstrap/password.tpl | 4 2 + 2 - 0 !
lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl | 6 3 + 3 - 0 !
lemonldap-ng-portal/site/templates/common/script.tpl | 1 0 + 1 - 0 !
7 files changed, 11 insertions(+), 15 deletions(-)

 fix xss vulnerability
 A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3
 allows remote attackers to inject arbitrary web script or HTML into the
 login page via a username if userControl has been set to a non-default
 value that allows special HTML characters.

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/AdaptativeAuthenticationLevel.pm | 2 2 + 0 - 0 !
lemonldap-ng-portal/t/61-AdaptativeAuthenticationLevel.t | 29 12 + 17 - 0 !
2 files changed, 14 insertions(+), 17 deletions(-)

 do not run adaptativeauthenticationlevel during refresh

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 check xss in ::plugins::upgrade 

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/Base.pm | 6 6 + 0 - 0 !
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/Generic.pm | 11 11 + 0 - 0 !
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/Password.pm | 6 6 + 0 - 0 !
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/TOTP.pm | 9 9 + 0 - 0 !
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/U2F.pm | 3 3 + 0 - 0 !
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/WebAuthn.pm | 16 16 + 0 - 0 !
lemonldap-ng-portal/site/coffee/2fregistration.coffee | 2 2 + 0 - 0 !
lemonldap-ng-portal/site/coffee/generic2fregistration.coffee | 4 4 + 0 - 0 !
lemonldap-ng-portal/site/coffee/password2fregistration.coffee | 2 2 + 0 - 0 !
lemonldap-ng-portal/site/coffee/totpregistration.coffee | 4 4 + 0 - 0 !
lemonldap-ng-portal/site/coffee/webauthnregistration.coffee | 8 8 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/common/js/2fregistration.js | 3 3 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/common/js/generic2fregistration.js | 6 6 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/common/js/password2fregistration.js | 3 3 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/common/js/totpregistration.js | 6 6 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/common/js/webauthnregistration.js | 12 12 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/languages/ar.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/languages/de.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/languages/en.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/languages/es.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/languages/fi.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/languages/fr.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/languages/he.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/languages/it.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/languages/pl.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/languages/pt.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/languages/pt_BR.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/languages/tr.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/languages/vi.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/languages/zh.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/site/htdocs/static/languages/zh_TW.json | 1 1 + 0 - 0 !
lemonldap-ng-portal/t/01-WebAuthn-Registration.t | 29 29 + 0 - 0 !
lemonldap-ng-portal/t/35-REST-sessions-with-AuthBasic-handler-with-2FA.t | 50 28 + 22 - 0 !
lemonldap-ng-portal/t/36-Combination-with-TOTP.t | 12 9 + 3 - 0 !
lemonldap-ng-portal/t/38-No-persistent-session.t | 12 9 + 3 - 0 !
lemonldap-ng-portal/t/61-BruteForceProtection-with-Incremental-lockTimes-and-TOTP.t | 12 9 + 3 - 0 !
lemonldap-ng-portal/t/64-StayConnected-with-2F-and-History.t | 9 8 + 1 - 0 !
lemonldap-ng-portal/t/67-CheckUser.t | 12 9 + 3 - 0 !
lemonldap-ng-portal/t/68-ContextSwitching-with-2F-allowed.t | 24 22 + 2 - 0 !
lemonldap-ng-portal/t/68-ContextSwitching-with-2F.t | 24 22 + 2 - 0 !
lemonldap-ng-portal/t/68-ContextSwitching-with-TOTP-and-Notification.t | 21 17 + 4 - 0 !
lemonldap-ng-portal/t/68-Impersonation-with-2F.t | 24 22 + 2 - 0 !
lemonldap-ng-portal/t/68-Impersonation-with-TOTP.t | 9 8 + 1 - 0 !
lemonldap-ng-portal/t/70-2F-Password.t | 12 10 + 2 - 0 !
lemonldap-ng-portal/t/70-2F-TOTP-8-with-global-storage.t | 12 9 + 3 - 0 !
lemonldap-ng-portal/t/70-2F-TOTP-and-U2F-with-TTL-and-JSON.t | 15 13 + 2 - 0 !
lemonldap-ng-portal/t/70-2F-TOTP-and-U2F-with-authnLevels-and-UpgradeOnly.t | 9 8 + 1 - 0 !
lemonldap-ng-portal/t/70-2F-TOTP-encryption.t | 12 9 + 3 - 0 !
lemonldap-ng-portal/t/70-2F-TOTP-with-History-and-Refresh.t | 12 9 + 3 - 0 !
lemonldap-ng-portal/t/70-2F-TOTP-with-Range.t | 12 9 + 3 - 0 !
lemonldap-ng-portal/t/70-2F-TOTP-with-TTL-and-JSON.t | 12 9 + 3 - 0 !
lemonldap-ng-portal/t/70-2F-TOTP-with-TTL-and-XML.t | 12 9 + 3 - 0 !
lemonldap-ng-portal/t/70-2F-TOTP-with-TTL.t | 15 12 + 3 - 0 !
lemonldap-ng-portal/t/73-2F-UTOTP-TOTP-and-U2F-with-History.t | 9 8 + 1 - 0 !
lemonldap-ng-portal/t/73-2F-UTOTP-TOTP-and-U2F.t | 12 11 + 1 - 0 !
lemonldap-ng-portal/t/73-2F-UTOTP-TOTP-only-with-History.t | 9 8 + 1 - 0 !
lemonldap-ng-portal/t/73-2F-UTOTP-TOTP-only.t | 9 8 + 1 - 0 !
lemonldap-ng-portal/t/74-2F-Required-Issuer-Timeouts.t | 15 10 + 5 - 0 !
lemonldap-ng-portal/t/74-2F-Required.t | 9 8 + 1 - 0 !
lemonldap-ng-portal/t/75-2F-Registers.t | 18 17 + 1 - 0 !
lemonldap-ng-portal/t/77-2F-Extra-Register.t | 42 41 + 1 - 0 !
lemonldap-ng-portal/t/78-2F-UpgradeOnly-with-forceFlag.t | 12 9 + 3 - 0 !
62 files changed, 525 insertions(+), 87 deletions(-)

 fix csrf on 2fa registration

lemonldap-ng-portal/t/41-Captcha-with-LDAP.t | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 fix test when a ldap server is run on build machine

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 fix xss/html injection through tab parameter (choice)
 An input validation vulnerability has been identified in the tab parameter
 when authentication is set to Choice.
 This issue allows for the injection of malicious content, including HTML,
 iframes, or JavaScript, with varying impacts depending on the applied
 Content Security Policy (CSP) configuration.