Fix security issue with cookies and CDA (#556)

12 years ago · 9243251183
parent 8c4399da3f
commit 9243251183
1 changed files with 1 additions and 3 deletions
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Simple.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Simple.pm
@ -962,15 +962,13 @@ sub run ($$) {
        my $str = $1;
        $class->lmLog( 'CDA request', 'debug' );
        $apacheRequest->args($args);
-        my $host          = $apacheRequest->get_server_name();
        my $redirectUrl   = $class->_buildUrl( $apacheRequest->uri );
        my $redirectHttps = ( $redirectUrl =~ m/^https/ );
        lmSetErrHeaderOut( $apacheRequest,
            'Location' => $redirectUrl . ( $args ? "?" . $args : "" ) );
-        $host =~ s/^[^\.]+\.(.*\..*$)/$1/;
        lmSetErrHeaderOut(
            $apacheRequest,
-            'Set-Cookie' => "$str; domain=$host; path=/"
+            'Set-Cookie' => "$str; path=/"
              . ( $redirectHttps ? "; secure"   : "" )
              . ( $httpOnly      ? "; HttpOnly" : "" )
              . (