Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #22710 Login forms uses different action URLs depending on the page
    Actions
    Infos
    #22710
    Manuel Vacelet (vaceletm)
    2021-09-20 16:22
    2021-09-09 17:40
    24256
    Details
    Login forms uses different action URLs depending on the page

    Open a Tuleap homepage with it's IP address and try to login => browser refuse to login with because it violates the following Content Security Policy directive: "form-action 'self'"

    Then click on "Login" and try to authenticate => CSP are bypassed.

    Empty
    Empty
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2021-09-17
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #22587 Tuleap Releases 13.1 Delivered 2021-18-10 11:44 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #22710

    Git commit

    tuleap/tuleap/stable

    Assume Tuleap is always reached over HTTPS 4a7bc424fa
    User avatar Thomas Gerbet (tgerbet) , 2021-09-17 13:51
    Referenced by request #22710

    Artifact Tracker v5

    rel #22587 13.1

    Other

    gerrit #23841
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2021-09-16 18:19

    Yes please, I was waiting for 13.0 to start the integration

    Done. I allowed myself to rename the title of this request since this is not really about CSP and the rules are enforced in the expected way. gerrit #23841 will close the issue.

    That was not the intend. The goal was to have something consistent between the 2 login pages otherwise it's painful to troubleshoot.

    We agree then. Troubleshooting issues where CSP is involved can be tricky in those contexts.

    • Summary
      -login forms doesn't enforce CSP rules in a consitent way 
      +Login forms uses different action URLs depending on the page 
    • Status changed from New to Under review
    User avatar
    Manuel Vacelet (vaceletm)2021-09-16 17:08

    A lot of this could be simplified by the work done in gerrit #23841 and I can request its integration if it is something of interest

    Yes please, I was waiting for 13.0 to start the integration

    However, we cannot expect that accessing Tuleap with a different host than the one specified in the configuration is going to work

    That was not the intend. The goal was to have something consistent between the 2 login pages otherwise it's painful to troubleshoot.

    User avatar
    Thomas Gerbet (tgerbet)2021-09-16 16:59

    I took a quick look and there is no security issue here therefore I'm going to lift the restrictions set on the artifact.

    To explain what's going here:

    • some form actions and URLs on the homepage are prefixed with https://<sys_https_host> when sys_https_host is not empty. This is done to make sure credentials are not sent in clear over the network.
    • we have a CSP blocking form actions trying to send data to another origin because there is no good reason for Tuleap to ever do that.

    The instance was accessed with https://<ip> but sys_https_host was set to something else: the browser detected the origin between the two was different and denied the submission.

    A lot of this could be simplified by the work done in gerrit #23841 and I can request its integration if it is something of interest. However, we cannot expect that accessing Tuleap with a different host than the one specified in the configuration is going to work. There is a non negligible amount of things building URLs from the information given in the configuration so even if the login from homepage was successful it is very likely that issues would have been encountered.