diogo
/
symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security #11829 n/a (damz, fabpot) 

This PR was merged into the 2.3 branch.

Discussion
----------

n/a

n/a

Commits
-------

3b4046e [HttpFoundation] added some missing tests
cefe237 fix parsing of Authorization header
This commit is contained in:
Fabien Potencier 2014-09-03 09:38:23 +02:00
parent 0aaabbfe8b 3b4046e894
commit e30bb17b7e
2 changed files with 28 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/Symfony/Component/HttpFoundation/ServerBag.php
View File

@ -65,13 +65,13 @@ class ServerBag extends ParameterBag
}
if (null !== $authorizationHeader) {
if (0 === stripos($authorizationHeader, 'basic')) {
if (0 === stripos($authorizationHeader, 'basic ')) {
// Decode AUTHORIZATION header into PHP_AUTH_USER and PHP_AUTH_PW when authorization header is basic
$exploded = explode(':', base64_decode(substr($authorizationHeader, 6)));
$exploded = explode(':', base64_decode(substr($authorizationHeader, 6)), 2);
if (count($exploded) == 2) {
list($headers['PHP_AUTH_USER'], $headers['PHP_AUTH_PW']) = $exploded;
}
} elseif (empty($this->parameters['PHP_AUTH_DIGEST']) && (0 === stripos($authorizationHeader, 'digest'))) {
} elseif (empty($this->parameters['PHP_AUTH_DIGEST']) && (0 === stripos($authorizationHeader, 'digest '))) {
// In some circumstances PHP_AUTH_DIGEST needs to be set
$headers['PHP_AUTH_DIGEST'] = $authorizationHeader;
$this->parameters['PHP_AUTH_DIGEST'] = $authorizationHeader;

29
src/Symfony/Component/HttpFoundation/Tests/ServerBagTest.php
View File

@ -67,14 +67,24 @@ class ServerBagTest extends \PHPUnit_Framework_TestCase
), $bag->getHeaders());
}
public function testHttpBasicAuthWithPhpCgiBogus()
{
$bag = new ServerBag(array('HTTP_AUTHORIZATION' => 'Basic_'.base64_encode('foo:bar')));
// Username and passwords should not be set as the header is bogus
$headers = $bag->getHeaders();
$this->assertFalse(isset($headers['PHP_AUTH_USER']));
$this->assertFalse(isset($headers['PHP_AUTH_PW']));
}
public function testHttpBasicAuthWithPhpCgiRedirect()
{
$bag = new ServerBag(array('REDIRECT_HTTP_AUTHORIZATION' => 'Basic '.base64_encode('foo:bar')));
$bag = new ServerBag(array('REDIRECT_HTTP_AUTHORIZATION' => 'Basic '.base64_encode('username:pass:word')));
$this->assertEquals(array(
'AUTHORIZATION' => 'Basic '.base64_encode('foo:bar'),
'PHP_AUTH_USER' => 'foo',
'PHP_AUTH_PW' => 'bar'
'AUTHORIZATION' => 'Basic '.base64_encode('username:pass:word'),
'PHP_AUTH_USER' => 'username',
'PHP_AUTH_PW' => 'pass:word'
), $bag->getHeaders());
}
@ -100,6 +110,17 @@ class ServerBagTest extends \PHPUnit_Framework_TestCase
), $bag->getHeaders());
}
public function testHttpDigestAuthWithPhpCgiBogus()
{
$digest = 'Digest_username="foo", realm="acme", nonce="'.md5('secret').'", uri="/protected, qop="auth"';
$bag = new ServerBag(array('HTTP_AUTHORIZATION' => $digest));
// Username and passwords should not be set as the header is bogus
$headers = $bag->getHeaders();
$this->assertFalse(isset($headers['PHP_AUTH_USER']));
$this->assertFalse(isset($headers['PHP_AUTH_PW']));
}
public function testHttpDigestAuthWithPhpCgiRedirect()
{
$digest = 'Digest username="foo", realm="acme", nonce="'.md5('secret').'", uri="/protected, qop="auth"';