Fix vhost regexp (#2477)

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm

@@ -58,7 +58,8 @@ sub processHook {
         }
     }
     if ( $err != PE_OK ) {
-        $self->logger->warn("Hook $hookName returned ".portalConsts->{$err});
+        $self->logger->warn(
+            "Hook $hookName returned " . portalConsts->{$err} );
     }
     return $err;
 }
@@ -155,7 +156,7 @@ sub controlUrl {
         }
 
         # Unprotected hosts
-        my ( $proto, $vhost, $appuri ) = $tmp =~ m#^(https?://)([^/]*)(.*)#;
+        my ( $proto, $vhost, $appuri ) = $tmp =~ m{^(https?://)([^/#?]*)(.*)};
         $vhost =~ s/:\d+$//;
 
         # Try to resolve alias

lemonldap-ng-portal/t/01-Reject-Hashes-in-URL.t

@@ -0,0 +1,29 @@
+use Test::More;
+use strict;
+use IO::String;
+use MIME::Base64;
+
+require 't/test-lib.pm';
+
+my $res;
+
+my $client = LLNG::Manager::Test->new(
+    { ini => { logLevel => 'debug', useSafeJail => 1 } } );
+
+ok(
+    $res = $client->_get(
+        '/',
+        query => 'url='
+          . encode_base64( 'http://bad.com#test.example.llng', '' )
+    ),
+    'Try http://bad.com#test.example.llng'
+);
+expectReject($res);
+ok( $res->[2]->[0] =~ /37/, 'Rejected with PE_BADURL' )
+  or print STDERR Dumper( $res->[2]->[0] );
+
+count(2);
+
+clean_sessions();
+
+done_testing( count() );