fusiondirectory issueshttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues2018-08-17T08:17:28Zhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5876update the UPGRADE.md for 1.2.22018-08-17T08:17:28Zbmortierupdate the UPGRADE.md for 1.2.2Hello,
we need to update the UPGRADE.md for 1.2.2
```
--migrate-supannentite
This option adds the {SUPANN} prefix that was missing in supannTypeEntite values before FD 1.3.
```
CheersHello,
we need to update the UPGRADE.md for 1.2.2
```
--migrate-supannentite
This option adds the {SUPANN} prefix that was missing in supannTypeEntite values before FD 1.3.
```
CheersFusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5874Update AUTHORS.md for 1.2.22018-08-16T19:49:18ZbmortierUpdate AUTHORS.md for 1.2.2Hello,
we need to update AUTHORS.md for 1.2.2
CheersHello,
we need to update AUTHORS.md for 1.2.2
CheersFusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5873Create a changelog for 1.2.22018-08-16T19:22:45ZbmortierCreate a changelog for 1.2.2Hello,
we need a changelog for 1.2.2
CheersHello,
we need a changelog for 1.2.2
CheersFusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5872rewrote AUTHORS in markdown2018-08-16T13:01:17Zbmortierrewrote AUTHORS in markdownHello,
we need to rewrote AUTHORS in markdown
CheersHello,
we need to rewrote AUTHORS in markdown
CheersFusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5871Increment FusionDirectory version for 1.2.22018-08-16T12:30:31ZbmortierIncrement FusionDirectory version for 1.2.2Hello,
we need to update fusiondirectory version for 1.2.2
CheersHello,
we need to update fusiondirectory version for 1.2.2
CheersFusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5870Updates the locales for 1.2.22018-08-16T12:02:48ZbmortierUpdates the locales for 1.2.2Hello,
we need to update the locales for 1.2.2
CheersHello,
we need to update the locales for 1.2.2
CheersFusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5868HTML is not escaped in departments descriptions2018-08-14T14:33:18ZbmortierHTML is not escaped in departments descriptions### Description
<!-- Required -->
<!-- Description of the issue -->
If you put HTML in a department description field, it gets rendered in the department list.
### FusionDirectory Version
<!-- Required -->
1.2
### Steps to Reproduce
...### Description
<!-- Required -->
<!-- Description of the issue -->
If you put HTML in a department description field, it gets rendered in the department list.
### FusionDirectory Version
<!-- Required -->
1.2
### Steps to Reproduce
<!-- Required -->
1. Create a department
2. Put `<b>FooBar</b><br> is the name.` in the description
3. Look at the department list
**Expected behavior:**
<!-- What you expect to happen-->
HTML is escaped
**Actual behavior:**
<!-- What actually happens -->
HTML is rendered
### Additional Information
<!-- optional -->
<!-- Any additional information, configuration or data that might be necessary to reproduce the issue. -->
Department tree in base field is affected as well.
Other columns should be checked as well for most objects, and we should make sure 1.4 management class does not have the problem.FusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5864Name field for countries should be limited to two characters2018-08-09T07:40:04ZbmortierName field for countries should be limited to two characters### Description
<!-- Required -->
<!-- Description of the issue -->
The name field for countries, stored in "c", only accepts 2-letter long values, but FD accepts any value, leading to LDAP errors. (invalid dn)
### Steps to Reproduce
...### Description
<!-- Required -->
<!-- Description of the issue -->
The name field for countries, stored in "c", only accepts 2-letter long values, but FD accepts any value, leading to LDAP errors. (invalid dn)
### Steps to Reproduce
<!-- Required -->
1. Create a country
2. Give it a name longer than 2 characters
3. Try to save it
**Expected behavior:**
<!-- What you expect to happen-->
The country is saved or we get a clear error.
**Actual behavior:**
<!-- What actually happens -->
LDAP error about invalid dn syntax.
**Reproduces how often:**
<!-- What percentage of the time does it reproduce?-->
100%
### Additional Information
<!-- optional -->
Found in https://gitlab.fusiondirectory.org/fusiondirectory/fd/issues/5861#note_50686
<!-- Any additional information, configuration or data that might be necessary to reproduce the issue. -->FusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5851Creating a user from a template with a non-existing group crashes2018-11-12T11:43:55ZbmortierCreating a user from a template with a non-existing group crashes### Description
<!-- Required -->
<!-- Description of the issue -->
When a template contains a group which was since deleted, using this template to create a user makes FusionDirectory crash. It should show the error in a pop-up instead...### Description
<!-- Required -->
<!-- Description of the issue -->
When a template contains a group which was since deleted, using this template to create a user makes FusionDirectory crash. It should show the error in a pop-up instead.
### FusionDirectory Version
<!-- Required -->
1.2
### Steps to Reproduce
<!-- Required -->
1. Create a user template with a group
2. Delete the group
3. Create a user from the template
**Expected behavior:**
<!-- What you expect to happen-->
An error message and the group is ignored
**Actual behavior:**
<!-- What actually happens -->
Crash
(Fatal Error: Uncaught NonExistingLdapNodeException)FusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5850Config insertion LDAP errors from setup are not shown2018-08-07T13:07:45ZbmortierConfig insertion LDAP errors from setup are not shown### Description
<!-- Required -->
<!-- Description of the issue -->
When the insertion of the configuration object in the LDAP server fails, no error is shown to the user.
This is because the setup code was not adapted to changes #4893
...### Description
<!-- Required -->
<!-- Description of the issue -->
When the insertion of the configuration object in the LDAP server fails, no error is shown to the user.
This is because the setup code was not adapted to changes #4893
### FusionDirectory Version
<!-- Required -->
Since 1.1
### Steps to Reproduce
<!-- Required -->
1. Go through the setup to the configuration step
2. Break your LDAP server or stop it
2. Save the configuration
**Expected behavior:**
<!-- What you expect to happen-->
Have an error on-screen
**Actual behavior:**
<!-- What actually happens -->
Fails silently and goes to the next step
### Additional Information
<!-- optional -->
<!-- Any additional information, configuration or data that might be necessary to reproduce the issue. -->
You may have errors from other operations when trying to reproduce, but not the one from the actual configuration save.FusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5849Error in supann tab when we use a template2018-07-18T08:05:02ZbmortierError in supann tab when we use a template### Description
Hello,
We have an error with the supann tab when we use a template
### Distribution Name and Version
Stretch
### FusionDirectory Version
1.2.1
### PHP version used
php7
### Origin of php packages
Debian
### Ste...### Description
Hello,
We have an error with the supann tab when we use a template
### Distribution Name and Version
Stretch
### FusionDirectory Version
1.2.1
### PHP version used
php7
### Origin of php packages
Debian
### Steps to Reproduce
1. Create a template
2. Enable supann tab
3. Add a value in affiliation and in principal affiliation
4. Save the template
5. Create an user with the template
We receive this error (if we add researcher in affiliation
```
La valeur «researcher» pour le champ «Affiliation principale» n’est pas dans la liste des choix possibles
```
**Expected behavior:**
Create the user without an error.
**Actual behavior:**
It display an error we must validate the user again to make it work
**Reproduces how often:**
100%FusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5846Samba groups are not showing in dashboard2018-06-13T13:57:48ZbmortierSamba groups are not showing in dashboard### Description
Samba groups are not showing in dashboard
### Distribution Name and Version
Debian Jessie 8.0
### FusionDirectory Version
1.2.1
### PHP version used
5.6
### Origin of php packages
Debian
### Steps to Reproduce
...### Description
Samba groups are not showing in dashboard
### Distribution Name and Version
Debian Jessie 8.0
### FusionDirectory Version
1.2.1
### PHP version used
5.6
### Origin of php packages
Debian
### Steps to Reproduce
<!-- Required -->
1. Create a group
2. Add samba tab to it
3. Go to dashboard
4. the dashboard show no samba group on the user tab
**Expected behavior:**
dashboard showing me that there is a samba group
**Actual behavior:**
show no groups
**Reproduces how often:**
100%
### Additional Information
also found on a customer siteFusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5843Security: Insecure Generation of Random Tokens2020-06-23T15:48:44ZbmortierSecurity: Insecure Generation of Random Tokens### Description
The random tokens for CSRF protection and password reset are generated by the method `standAlonePage::generateRandomHash()`. This method uses the insecure function `mt_rand()`. The output of this function is predictable ...### Description
The random tokens for CSRF protection and password reset are generated by the method `standAlonePage::generateRandomHash()`. This method uses the insecure function `mt_rand()`. The output of this function is predictable and therefore not suitable for security purposes.
Instead of the insecure functions, [`random_bytes()`](http://id1.php.net/random_bytes), [`random_int()`](http://pl1.php.net/random_int) or the [implementation for older PHP versions](https://github.com/paragonie/random_compat) should be used.
### Code Locations
* https://gitlab.fusiondirectory.org/fusiondirectory/fd/blob/1.2.1-fixes/html/class_passwordRecovery.inc#L233
* https://gitlab.fusiondirectory.org/fusiondirectory/fd/blob/1.3-dev/html/class_passwordRecovery.inc#L234
* https://gitlab.fusiondirectory.org/fusiondirectory/fd/blob/1.4-dev/html/class_passwordRecovery.inc#L233
### Distribution Name and Version
Found by source code analysis.
### FusionDirectory Version
Identified in all current development and master branch.
### PHP version used
Found by source code analysis.
### Origin of php packages
Found by source code analysis.
### Steps to Reproduce
The vulnerability was discovered by code analysis but not implemented specific for FusionDirectory. Generally, an attacker can predict the tokens when he gathers few tokens or calculates random tokens from known seeds. See [this page](http://phpsecurity.readthedocs.io/en/latest/Insufficient-Entropy-For-Random-Values.html) for details. There's also [a tool](https://github.com/GeorgeArgyros/Snowflake) for exploitation of such issues.
**Actual behavior:**
Predictable tokens are generated for security purposes.
**Reproduces how often:**
100%
### Additional Information
* https://stackoverflow.com/questions/17362402/why-is-phps-mt-rand-not-cryptographically-secure
* https://softwareengineering.stackexchange.com/questions/76229/predicting-the-output-of-phps-randFusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5842Security: Missing Security Headers2020-06-23T15:48:24ZbmortierSecurity: Missing Security Headers### Description
It's best practice in web application security to set some headers that increase the security level of the application. Basically, the following headers should be set by default to increase the security of all deployment...### Description
It's best practice in web application security to set some headers that increase the security level of the application. Basically, the following headers should be set by default to increase the security of all deployments:
* `X-Frame-Options: deny`: Prevents clickjacking attacks and other attack techniques against the application. [More...](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).
* `X-XSS-Protection: 1; mode=block`: Increases the difficulty for exploitation of [Cross Site Scripting attacks (XSS)](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)) in many browsers. [More...](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
* `X-Content-Type-Options: nosniff`: Indicate that the browser doesn't tries to deduce a content type different from the *Content-Type* header. [More...](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options)
Furthermore recommended, but difficult to implement effectively:
* `Content-Security-Policy`: Whitelist possible resources and restricts JavaScript usage. Correctly implemented, this increases the difficulty for exploitation of Cross-site scripting attacks. [More...](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
## Distribution Name and Version
Reproduced in *admin.fusiondirectory.org*.
### FusionDirectory Version
1.2
### PHP version used
Reproduced in *admin.fusiondirectory.org*.
### Origin of php packages
Reproduced in *admin.fusiondirectory.org*.
### Steps to Reproduce
1. Open browsers developer tools (Ctrl-Shift-I in Firefox and Chrome)
2. Choose the network tab of developer tools.
3. Open the main page of a default FusionDirectory instance
4. Check the response headers.
**Expected behavior:**
The security headers mentioned above are set.
**Actual behavior:**
No security headers are set.
**Reproduces how often:**
100%
### Additional Information
See the [OWASP Security Headers](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers) project page and [Mozilla web security guide](https://infosec.mozilla.org/guidelines/web_security#x-content-type-options) for more information on this topic.FusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5840Security Vulnerability: Cross Site Request Forgery2020-06-23T15:47:56ZbmortierSecurity Vulnerability: Cross Site Request Forgery### Description
FusionDirectrory is vulnerable against Cross Site Request Forgery (CSRF) attacks.
### Distribution Name and Version
Debian stable
Instance at *admin.fusiondirectory.org* is also affected.
### FusionDirectory Version
...### Description
FusionDirectrory is vulnerable against Cross Site Request Forgery (CSRF) attacks.
### Distribution Name and Version
Debian stable
Instance at *admin.fusiondirectory.org* is also affected.
### FusionDirectory Version
1.2
### PHP version used
7.0.14-2
### Origin of php packages
Debian distribution packages.
### Steps to Reproduce
1. Authenticate with a test account at [admin.fusiondirectory.org](https://admin.fusiondirectory.org). Please use a test account, as the password will be reset to a known value.
2. Open the attached file [CSRF-FusionDirectory.html](/uploads/191122aec000105d7648819d6c20b043/CSRF-FusionDirectory.html) in the browser.
3. Click on the *Attack!* button.
**Expected behavior:**
The application checks state changing requests if they are originated from a previously delivered application web page by comparison of a random token parameter. No changes are made.
**Actual behavior:**
The application accepts the request forged by the attacker page. The password of the attacked user is changed to *Password1234!* and the address is set to *Owned!*.
**Reproduces how often:**
100%.
### Additional Information
The URL parameter *plug* is instance specific, but can easily be brute forced by the attacker.
See the [OWASP CSRF Page](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) for further details on this vulnerability.FusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5824LDIF generation does not respect STARTTLS setting2018-07-19T13:52:31ZbmortierLDIF generation does not respect STARTTLS setting### Description
<!-- Required -->
<!-- Description of the issue -->
From https://github.com/fusiondirectory/fusiondirectory-plugins/issues/13
When exporting to LDIF, it does not use STARTTLS despite having it activated in the config fi...### Description
<!-- Required -->
<!-- Description of the issue -->
From https://github.com/fusiondirectory/fusiondirectory-plugins/issues/13
When exporting to LDIF, it does not use STARTTLS despite having it activated in the config file.
### Steps to Reproduce
<!-- Required -->
1. Activate TLS and configure your LDAP to require it
2. Export to LDIF
**Expected behavior:**
<!-- What you expect to happen-->
Export should use STARTTLS
**Actual behavior:**
<!-- What actually happens -->
It does notFusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5816Blacklist is not reset correctly for UserAttribute2018-07-19T13:52:54ZbmortierBlacklist is not reset correctly for UserAttribute### Description
<!-- Required -->
<!-- Description of the issue -->
When editing the members of a group, a blacklist is set in the session to avoid showing objects which are already members in the selection dialog.
But after finishing e...### Description
<!-- Required -->
<!-- Description of the issue -->
When editing the members of a group, a blacklist is set in the session to avoid showing objects which are already members in the selection dialog.
But after finishing editing members, if you edit the group owner the blacklist still applies.
### Steps to Reproduce
<!-- Required -->
1. Edit ogroup members
2. Edit ogroup owner
3. Search for a member in the owner selection dialog
**Expected behavior:**
<!-- What you expect to happen-->
The member should show up.
**Actual behavior:**
<!-- What actually happens -->
It is hidden.
### Additional Information
Spotted by https://jenkins.fusiondirectory.org/view/Selenium-Test/job/Selenium-Tests-Generic/plugin=systems,vminfos=dev-jessie/720/testReport/(root)/ForeignKeysTest/testMoveDepartmentWithForeignKeys/FusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5789LDIF import can trigger PHP errors on empty file2018-07-19T14:01:24ZbmortierLDIF import can trigger PHP errors on empty fileAlso it should return the number of entries imported.
See fd-plugins#4807Also it should return the number of entries imported.
See fd-plugins#4807FusionDirectory 1.2.2bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5730PHP error when I deactivate "opsi client" tab on a workstation2018-07-19T13:41:43ZbmortierPHP error when I deactivate "opsi client" tab on a workstation### Description
FusionDirectory display an PHP error when I deactivate "opsi client" tab on a workstation
### Distribution Name and Version
Ubuntu 16.04.1 LTS
### FusionDirectory Version
1.3-dev
### Plugin with the defect
Plugin O...### Description
FusionDirectory display an PHP error when I deactivate "opsi client" tab on a workstation
### Distribution Name and Version
Ubuntu 16.04.1 LTS
### FusionDirectory Version
1.3-dev
### Plugin with the defect
Plugin OPSI
### PHP version used
7.0.22
### Origin of php packages
Official packages from Ubuntu
### Steps to Reproduce
1. Display the PHP errors in the configuration
2. Create a workstation with an "opsi client" tab activate
3. Add your workstation in an ogroup with an "opsi client" activate
4. Edit your workstation and deactivate the "opsi client" tab
5. You see the PHP error
**Expected behavior:**
No PHP error
**Actual behavior:**
We have an php error
```php
PHP error: htmlentities() expects parameter 1 to be string, array given (/usr/share/fusiondirectory/include/simpleplugin/class_Attribute.inc, line 563)
```
**Reproduces how often:**
100%
### Additional Information
```
=== Trace ===
Trace[1]:function htmlentities
File : /usr/share/fusiondirectory/include/simpleplugin/class_Attribute.inc
Line : 563
Type : -
array("config-win-base|setup","hwaudit|setup"),"2","UTF-8"
Trace[2]:class Attribute / function renderAttribute
File : /usr/share/fusiondirectory/include/simpleplugin/attributes/class_SetAttribute.inc
Line : 225
Type : method
array(),"1"
Trace[3]:class SetAttribute / function renderAttribute
File : /usr/share/fusiondirectory/include/simpleplugin/class_simplePlugin.inc
Line : 846
Type : method
array(),"1"
Trace[4]:class simplePlugin / function renderAttributes
File : /usr/share/fusiondirectory/include/simpleplugin/class_simplePlugin.inc
Line : 871
Type : method
"1"
Trace[5]:class simplePlugin / function inheritanceDisplay
File : /usr/share/fusiondirectory/include/simpleplugin/class_simplePlugin.inc
Line : 689
Type : method
-
Trace[6]:class simplePlugin / function execute
File : /usr/share/fusiondirectory/include/simpleplugin/class_simpleTabs.inc
Line : 198
Type : method
-
Trace[7]:class simpleTabs / function execute
File : /usr/share/fusiondirectory/include/simpleplugin/class_simpleManagement.inc
Line : 575
Type : method
-
Trace[8]:class simpleManagement / function execute
File : /usr/share/fusiondirectory/include/simpleplugin/class_simpleManagement.inc
Line : 1338
Type : method
-
Trace[9]:class simpleManagement / function mainInc
File : /usr/share/fusiondirectory/plugins/admin/systems/main.inc
Line : 21
Type : static
"systemManagement"
Trace[10]:function require
File : /usr/share/fusiondirectory/html/main.php
Line : 286
Type : -
"/usr/share/fusiondirectory/plugins/admin/systems/main.inc"
=== /Trace ===
```FusionDirectory 1.2.2bmortierbmortier