PacketFence - BTS - PacketFence
View Issue Details
0001302PacketFencecaptive portalpublic2011-10-05 16:392012-09-06 10:57
fgaudreault 
obilodeau 
highmajorrandom
closedfixed 
3.3.2 
3.5.13.5.1 
stable: 3547973 devel: 3204f55
0001302: People cannot confirm email registration on some cases
Here is the use case.

In a routed environment, the user self-registers, get the 10min grace period, and tries to load the email link. The email link comes with pf.domain.tld, which usually points to the management interface of PF. The user won't be able to hit the virtual server on port 443 since his IP address won't be allowed to hit the portal. The allow is only for routed-networks, and localhost. So, when you try to reach it using a production ip, you will get a 403.




No tags attached.
has duplicate 0001504closed fdurand Sponsor Guest registration is not able to activate the registration link. 
Issue History
2011-10-05 16:39fgaudreaultNew Issue
2011-10-05 17:40obilodeauNote Added: 0002317
2011-10-05 17:41fgaudreaultNote Added: 0002318
2011-10-06 09:43obilodeauTarget Version => +1
2011-10-06 09:43obilodeauAdditional Information Updated
2011-10-25 11:01fgaudreaultNote Added: 0002397
2011-10-25 11:01fgaudreaultStatusnew => resolved
2011-10-25 11:01fgaudreaultFixed in Version => 3.0.2
2011-10-25 11:01fgaudreaultResolutionopen => fixed
2011-10-25 11:01fgaudreaultAssigned To => fgaudreault
2011-10-25 11:44obilodeauNote Added: 0002400
2011-10-25 11:44obilodeauStatusresolved => closed
2011-10-25 11:44obilodeauTarget Version+1 => 3.0.2
2011-10-25 11:44obilodeauAdditional Information Updated
2012-04-27 11:30fgaudreaultResolutionfixed => reopened
2012-04-27 11:30fgaudreaultProduct Version3.0.1 => 3.3.2
2012-04-27 11:31fgaudreaultStatusclosed => assigned
2012-04-27 11:32fgaudreaultNote Added: 0002690
2012-04-27 11:32fgaudreaultResolutionreopened => open
2012-04-27 11:33fgaudreaultNote Edited: 0002690
2012-05-03 13:41obilodeauAssigned Tofgaudreault => obilodeau
2012-05-07 19:04sinusoidalNote Added: 0002700
2012-05-08 08:42obilodeauNote Added: 0002701
2012-05-08 08:42obilodeauPrioritynormal => high
2012-05-08 08:42obilodeauFixed in Version3.0.2 =>
2012-05-08 08:42obilodeauTarget Version3.0.2 => +1
2012-08-07 16:05obilodeauRelationship addedhas duplicate 0001504
2012-08-15 16:45obilodeauNote Added: 0002935
2012-08-20 16:38obilodeaugit revision => stable: 3547973 devel: 3204f55
2012-08-20 16:38obilodeauNote Added: 0002950
2012-08-20 16:38obilodeauStatusassigned => resolved
2012-08-20 16:38obilodeauFixed in Version => +1
2012-08-20 16:38obilodeauResolutionopen => fixed
2012-09-06 10:56obilodeauTarget Version+1 => 3.5.1
2012-09-06 10:56obilodeauFixed in Version+1 => 3.5.1
2012-09-06 10:57obilodeauNote Added: 0003020
2012-09-06 10:57obilodeauStatusresolved => closed

Notes
(0002317)
obilodeau   
2011-10-05 17:40   
Previous readme on how to configure was specifying this and giving appropriate instructions to open up Apache's ACLs. What do you suggest for a fix?
(0002318)
fgaudreault   
2011-10-05 17:41   
Create a specific location definition in the captive-portal-common for email-activation.cgi and allow all. I think that would do it.
(0002397)
fgaudreault   
2011-10-25 11:01   
Fixed in 3.0.2
(0002400)
obilodeau   
2011-10-25 11:44   
3.0.2 is released, closing ticket.
(0002690)
fgaudreault   
2012-04-27 11:32   
(edited on: 2012-04-27 11:33)
Issue reopened.

Tested on 3.3.2, the allow all on activate/email is not sufficient. We still get 403 on the cgi file:
client denied by server configuration: /usr/local/pf/html/captive-portal/email_activation.cgi

Caused by :
<DirectoryMatch "%%install_dir%%/html/captive-portal">
  Order deny,allow
  Deny from all
  allow from %%routed-nets%% 127.0.0.1
</DirectoryMatch>

(0002700)
sinusoidal   
2012-05-07 19:04   
I've also had this error.

Put in a temporary work around by adding the url to the allowed_from_all_urls in apache.pm, but concerned that this may have opened up security issues?

$tags{'allowed_from_all_urls'} .=
    '|/activate/email|/activate/email|/email_activation.cgi';
(0002701)
obilodeau   
2012-05-08 08:42   
Increasing priority and targeted for next stable release.
(0002935)
obilodeau   
2012-08-15 16:45   
A quick fix was pushed in 3547973: https://github.com/inverse-inc/packetfence/commit/3547973fd7a81f08d9d419685f160ff194573f3a [^]

A better fix is coming for the devel branch: fix/apache-acl-generation-for-guests
(0002950)
obilodeau   
2012-08-20 16:38   
Better fix for devel completed.
(0003020)
obilodeau   
2012-09-06 10:57   
fix released in 3.5.1 yesterday