PacketFence - BTS - PacketFence |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0001302 | PacketFence | captive portal | public | 2011-10-05 16:39 | 2012-09-06 10:57 |
|
| Reporter | fgaudreault | |
| Assigned To | obilodeau | |
| Priority | high | Severity | major | Reproducibility | random |
| Status | closed | Resolution | fixed | |
| Platform | | OS | | OS Version | |
| Product Version | 3.3.2 | |
| Target Version | 3.5.1 | Fixed in Version | 3.5.1 | |
| fixed in git revision | stable: 3547973 devel: 3204f55 |
| fixed in mtn revision | |
|
| Summary | 0001302: People cannot confirm email registration on some cases |
| Description | Here is the use case.
In a routed environment, the user self-registers, get the 10min grace period, and tries to load the email link. The email link comes with pf.domain.tld, which usually points to the management interface of PF. The user won't be able to hit the virtual server on port 443 since his IP address won't be allowed to hit the portal. The allow is only for routed-networks, and localhost. So, when you try to reach it using a production ip, you will get a 403.
|
| Steps To Reproduce | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | has duplicate | 0001504 | closed | fdurand | Sponsor Guest registration is not able to activate the registration link. |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2011-10-05 16:39 | fgaudreault | New Issue | |
| 2011-10-05 17:40 | obilodeau | Note Added: 0002317 | |
| 2011-10-05 17:41 | fgaudreault | Note Added: 0002318 | |
| 2011-10-06 09:43 | obilodeau | Target Version | => +1 |
| 2011-10-06 09:43 | obilodeau | Additional Information Updated | |
| 2011-10-25 11:01 | fgaudreault | Note Added: 0002397 | |
| 2011-10-25 11:01 | fgaudreault | Status | new => resolved |
| 2011-10-25 11:01 | fgaudreault | Fixed in Version | => 3.0.2 |
| 2011-10-25 11:01 | fgaudreault | Resolution | open => fixed |
| 2011-10-25 11:01 | fgaudreault | Assigned To | => fgaudreault |
| 2011-10-25 11:44 | obilodeau | Note Added: 0002400 | |
| 2011-10-25 11:44 | obilodeau | Status | resolved => closed |
| 2011-10-25 11:44 | obilodeau | Target Version | +1 => 3.0.2 |
| 2011-10-25 11:44 | obilodeau | Additional Information Updated | |
| 2012-04-27 11:30 | fgaudreault | Resolution | fixed => reopened |
| 2012-04-27 11:30 | fgaudreault | Product Version | 3.0.1 => 3.3.2 |
| 2012-04-27 11:31 | fgaudreault | Status | closed => assigned |
| 2012-04-27 11:32 | fgaudreault | Note Added: 0002690 | |
| 2012-04-27 11:32 | fgaudreault | Resolution | reopened => open |
| 2012-04-27 11:33 | fgaudreault | Note Edited: 0002690 | |
| 2012-05-03 13:41 | obilodeau | Assigned To | fgaudreault => obilodeau |
| 2012-05-07 19:04 | sinusoidal | Note Added: 0002700 | |
| 2012-05-08 08:42 | obilodeau | Note Added: 0002701 | |
| 2012-05-08 08:42 | obilodeau | Priority | normal => high |
| 2012-05-08 08:42 | obilodeau | Fixed in Version | 3.0.2 => |
| 2012-05-08 08:42 | obilodeau | Target Version | 3.0.2 => +1 |
| 2012-08-07 16:05 | obilodeau | Relationship added | has duplicate 0001504 |
| 2012-08-15 16:45 | obilodeau | Note Added: 0002935 | |
| 2012-08-20 16:38 | obilodeau | git revision | => stable: 3547973 devel: 3204f55 |
| 2012-08-20 16:38 | obilodeau | Note Added: 0002950 | |
| 2012-08-20 16:38 | obilodeau | Status | assigned => resolved |
| 2012-08-20 16:38 | obilodeau | Fixed in Version | => +1 |
| 2012-08-20 16:38 | obilodeau | Resolution | open => fixed |
| 2012-09-06 10:56 | obilodeau | Target Version | +1 => 3.5.1 |
| 2012-09-06 10:56 | obilodeau | Fixed in Version | +1 => 3.5.1 |
| 2012-09-06 10:57 | obilodeau | Note Added: 0003020 | |
| 2012-09-06 10:57 | obilodeau | Status | resolved => closed |
|
Notes |
|
|
|
|
Previous readme on how to configure was specifying this and giving appropriate instructions to open up Apache's ACLs. What do you suggest for a fix? |
|
|
|
(0002318)
|
|
fgaudreault
|
|
2011-10-05 17:41
|
|
|
Create a specific location definition in the captive-portal-common for email-activation.cgi and allow all. I think that would do it. |
|
|
|
(0002397)
|
|
fgaudreault
|
|
2011-10-25 11:01
|
|
|
|
|
|
|
3.0.2 is released, closing ticket. |
|
|
|
(0002690)
|
|
fgaudreault
|
2012-04-27 11:32
(edited on: 2012-04-27 11:33) |
|
Issue reopened.
Tested on 3.3.2, the allow all on activate/email is not sufficient. We still get 403 on the cgi file:
client denied by server configuration: /usr/local/pf/html/captive-portal/email_activation.cgi
Caused by :
<DirectoryMatch "%%install_dir%%/html/captive-portal">
Order deny,allow
Deny from all
allow from %%routed-nets%% 127.0.0.1
</DirectoryMatch>
|
|
|
|
|
I've also had this error.
Put in a temporary work around by adding the url to the allowed_from_all_urls in apache.pm, but concerned that this may have opened up security issues?
$tags{'allowed_from_all_urls'} .=
'|/activate/email|/activate/email|/email_activation.cgi'; |
|
|
|
|
|
Increasing priority and targeted for next stable release. |
|
|
|
|
|
|
|
|
|
Better fix for devel completed. |
|
|
|
|
|
fix released in 3.5.1 yesterday |
|