From 9e15992517ca631a18a9b93693e4326fc98f81a7 Mon Sep 17 00:00:00 2001
From: Sven Geggus <sven-github@geggus.net>
Date: Thu, 30 Sep 2021 15:38:42 +0200
Subject: [PATCH 1/4] Older Version of cookie handling

---
 www/includes/web_functions.inc.php | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/www/includes/web_functions.inc.php b/www/includes/web_functions.inc.php
index 46fcadb..d189419 100644
--- a/www/includes/web_functions.inc.php
+++ b/www/includes/web_functions.inc.php
@@ -76,10 +76,13 @@ function set_passkey_cookie($user_id,$is_admin) {
  }
  $filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
  @ file_put_contents("/tmp/$filename","$passkey:$admin_val:$this_time");
- setcookie('orf_cookie', "$user_id:$passkey", $DEFAULT_COOKIE_OPTIONS);
- $sessto_cookie_opts = $DEFAULT_COOKIE_OPTIONS;
- $sessto_cookie_opts['expires'] = $this_time+7200;
- setcookie('sessto_cookie', $this_time+(60 * $SESSION_TIMEOUT), $sessto_cookie_opts);
+
+
+ setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $SESSION_TIMEOUT), '/', '', '', TRUE);
+ setcookie('sessto_cookie', $this_time+(60 * $SESSION_TIMEOUT), $this_time+7200, '/', '', '', TRUE);;
+
+ 
+
  if ( $SESSION_DEBUG == TRUE) {  error_log("$log_prefix Session: user $user_id validated (IS_ADMIN=${IS_ADMIN}), sent orf_cookie to the browser.",0); }
  $VALIDATED = TRUE;
 
@@ -155,7 +158,7 @@ function set_setup_cookie() {
 
  file_put_contents("/tmp/ldap_setup","$passkey:$this_time");
 
- setcookie('setup_cookie', $passkey, $DEFAULT_COOKIE_OPTIONS);
+ setcookie('setup_cookie', "$passkey", $this_time+(60 * $SESSION_TIMEOUT), '/', '', '', TRUE);
 
  if ( $SESSION_DEBUG == TRUE) {  error_log("$log_prefix Setup session: sent setup_cookie to the client.",0); }
 
@@ -213,8 +216,8 @@ function log_out($method='normal') {
  $sessto_cookie_opts = $DEFAULT_COOKIE_OPTIONS;
  $sessto_cookie_opts['expires'] = $this_time-20000;
 
- setcookie('orf_cookie', "", $DEFAULT_COOKIE_OPTIONS);
- setcookie('sessto_cookie', "", $DEFAULT_COOKIE_OPTIONS);
+ setcookie('orf_cookie', "", time()-20000, '/', '', '', TRUE);
+ setcookie('sessto_cookie', "", time()-20000, '/', '', '', TRUE);
 
  $filename = preg_replace('/[^a-zA-Z0-9]/','_', $USER_ID);
  @ unlink("/tmp/$filename");

From 78912c9d698d048779d31d02c3f73c404dddf1e5 Mon Sep 17 00:00:00 2001
From: Sven Geggus <sven-github@geggus.net>
Date: Thu, 30 Sep 2021 15:40:00 +0200
Subject: [PATCH 2/4] Make this work behind frontend proxy with subfolder
 (might close upstreamissue 109)

---
 www/account_manager/show_group.php | 3 ++-
 www/log_in/index.php               | 8 +++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/www/account_manager/show_group.php b/www/account_manager/show_group.php
index e5c367c..65640df 100644
--- a/www/account_manager/show_group.php
+++ b/www/account_manager/show_group.php
@@ -11,6 +11,7 @@
 render_submenu();
 
 $ldap_connection = open_ldap_connection();
+$initialise_group = FALSE;
 
 
 if (!isset($_POST['group_name']) and !isset($_GET['group_name'])) {
@@ -279,7 +280,7 @@ function update_form_with_users() {
          <button class="btn btn-default btn-sm move-right">
           <span class="glyphicon glyphicon-chevron-right"></span>
          </button>
-         <form id="group_members" action="<?php print $CURRENT_PAGE; ?>" method="post">
+         <form id="group_members" action="<?php print "${THIS_MODULE_PATH}"; ?>/show_group.php" method="post">
           <input type="hidden" name="update_members">
           <input type="hidden" name="group_name" value="<?php print urlencode($group_cn); ?>">
           <?php if ($new_group == TRUE) { ?><input type="hidden" name="initialise_group"><?php } ?>
diff --git a/www/log_in/index.php b/www/log_in/index.php
index 4231b41..ec4863e 100644
--- a/www/log_in/index.php
+++ b/www/log_in/index.php
@@ -5,6 +5,8 @@
 include "web_functions.inc.php";
 include "ldap_functions.inc.php";
 
+global $SERVER_PATH;
+
 if (isset($_GET["unauthorised"])) { $display_unauth = TRUE; }
 if (isset($_GET["session_timeout"])) { $display_logged_out = TRUE; }
 if (isset($_GET["redirect_to"])) { $redirect_to = $_GET["redirect_to"]; }
@@ -31,16 +33,16 @@
 
   set_passkey_cookie($user_auth,$is_admin);
   if (isset($_POST["redirect_to"])) {
-   header("Location: //${_SERVER['HTTP_HOST']}" . base64_decode($_POST['redirect_to']) . "\n\n");
+   header("Location: //${_SERVER['HTTP_HOST']}" . $SERVER_PATH . base64_decode($_POST['redirect_to']) . "/\n\n");
   }
   else {
 
    if ($IS_ADMIN) { $default_module = "account_manager"; } else { $default_module = "change_password"; }
-   header("Location: //${_SERVER['HTTP_HOST']}${SERVER_PATH}$default_module?logged_in\n\n");
+     header("Location: //${_SERVER['HTTP_HOST']}" . $SERVER_PATH . $default_module . "/?logged_in\n\n");
   }
  }
  else {
-  header("Location: //${_SERVER['HTTP_HOST']}${THIS_MODULE_PATH}/index.php?invalid\n\n");
+    header("Location: //${_SERVER['HTTP_HOST']}" . $SERVER_PATH . $THIS_MODULE_PATH . "/index.php?invalid\n\n");
  }
 
 }

From 0e4b9a0464d6bdbb76c27c443543c80c6fd117c2 Mon Sep 17 00:00:00 2001
From: Sven Geggus <sven-github@geggus.net>
Date: Thu, 30 Sep 2021 15:42:01 +0200
Subject: [PATCH 3/4] Allow usage of other http-port than 80 (Variable
 HTTP_PORT)

---
 entrypoint | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/entrypoint b/entrypoint
index 640424c..814b54f 100644
--- a/entrypoint
+++ b/entrypoint
@@ -20,11 +20,15 @@ if [ "$LDAP_TLS_CACERT" ]; then
   sed -i "s/TLS_CACERT.*/TLS_CACERT \/opt\/ca.crt/" /etc/ldap/ldap.conf
 fi
 
+if [ -z ${HTTP_PORT+x} ]; then HTTP_PORT=80; fi
+
 if [ "${NO_HTTPS,,}" == "true" ]; then
 
+  echo "Listen $HTTP_PORT" > /etc/apache2/ports.conf
+
   cat <<EoHTTPC >/etc/apache2/sites-enabled/lum.conf
 
-<VirtualHost *:80>
+<VirtualHost *:$HTTP_PORT>
 
  ServerName $SERVER_HOSTNAME
  DocumentRoot $php_dir

From aa7c1c66fd91e0fa41f7892c7ce1265a668ce802 Mon Sep 17 00:00:00 2001
From: Sven Geggus <sven-github@geggus.net>
Date: Fri, 1 Oct 2021 09:24:41 +0200
Subject: [PATCH 4/4] More behind frontend proxy fixes

---
 www/account_manager/show_user.php | 2 +-
 www/log_in/index.php              | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/www/account_manager/show_user.php b/www/account_manager/show_user.php
index 16f7f4d..e181c20 100644
--- a/www/account_manager/show_user.php
+++ b/www/account_manager/show_user.php
@@ -499,7 +499,7 @@ function check_if_we_should_enable_sending_email() {
           <button class="btn btn-default btn-sm move-right">
            <span class="glyphicon glyphicon-chevron-right"></span>
           </button>
-          <form id="update_with_groups" action="<?php print $CURRENT_PAGE; ?>" method="post">
+          <form id="update_with_groups" action="<?php print "${THIS_MODULE_PATH}"; ?>/show_user.php" method="post">
            <input type="hidden" name="update_member_of">
            <input type="hidden" name="account_identifier" value="<?php print $account_identifier; ?>">
           </form>
diff --git a/www/log_in/index.php b/www/log_in/index.php
index ec4863e..498f344 100644
--- a/www/log_in/index.php
+++ b/www/log_in/index.php
@@ -5,7 +5,6 @@
 include "web_functions.inc.php";
 include "ldap_functions.inc.php";
 
-global $SERVER_PATH;
 
 if (isset($_GET["unauthorised"])) { $display_unauth = TRUE; }
 if (isset($_GET["session_timeout"])) { $display_logged_out = TRUE; }
@@ -33,6 +32,7 @@
 
   set_passkey_cookie($user_auth,$is_admin);
   if (isset($_POST["redirect_to"])) {
+   //TODO: not sure if $SERVER_PATH is needed here
    header("Location: //${_SERVER['HTTP_HOST']}" . $SERVER_PATH . base64_decode($_POST['redirect_to']) . "/\n\n");
   }
   else {
@@ -42,7 +42,7 @@
   }
  }
  else {
-    header("Location: //${_SERVER['HTTP_HOST']}" . $SERVER_PATH . $THIS_MODULE_PATH . "/index.php?invalid\n\n");
+    header("Location: //${_SERVER['HTTP_HOST']}" . $THIS_MODULE_PATH . "/index.php?invalid\n\n");
  }
 
 }