security #11829 n/a (damz, fabpot)
This PR was merged into the 2.3 branch. Discussion ---------- n/a n/a Commits -------3b4046e
[HttpFoundation] added some missing testscefe237
fix parsing of Authorization header
This commit is contained in:
commit
e30bb17b7e
@ -67,7 +67,7 @@ class ServerBag extends ParameterBag
|
|||||||
if (null !== $authorizationHeader) {
|
if (null !== $authorizationHeader) {
|
||||||
if (0 === stripos($authorizationHeader, 'basic ')) {
|
if (0 === stripos($authorizationHeader, 'basic ')) {
|
||||||
// Decode AUTHORIZATION header into PHP_AUTH_USER and PHP_AUTH_PW when authorization header is basic
|
// Decode AUTHORIZATION header into PHP_AUTH_USER and PHP_AUTH_PW when authorization header is basic
|
||||||
$exploded = explode(':', base64_decode(substr($authorizationHeader, 6)));
|
$exploded = explode(':', base64_decode(substr($authorizationHeader, 6)), 2);
|
||||||
if (count($exploded) == 2) {
|
if (count($exploded) == 2) {
|
||||||
list($headers['PHP_AUTH_USER'], $headers['PHP_AUTH_PW']) = $exploded;
|
list($headers['PHP_AUTH_USER'], $headers['PHP_AUTH_PW']) = $exploded;
|
||||||
}
|
}
|
||||||
|
@ -67,14 +67,24 @@ class ServerBagTest extends \PHPUnit_Framework_TestCase
|
|||||||
), $bag->getHeaders());
|
), $bag->getHeaders());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testHttpBasicAuthWithPhpCgiBogus()
|
||||||
|
{
|
||||||
|
$bag = new ServerBag(array('HTTP_AUTHORIZATION' => 'Basic_'.base64_encode('foo:bar')));
|
||||||
|
|
||||||
|
// Username and passwords should not be set as the header is bogus
|
||||||
|
$headers = $bag->getHeaders();
|
||||||
|
$this->assertFalse(isset($headers['PHP_AUTH_USER']));
|
||||||
|
$this->assertFalse(isset($headers['PHP_AUTH_PW']));
|
||||||
|
}
|
||||||
|
|
||||||
public function testHttpBasicAuthWithPhpCgiRedirect()
|
public function testHttpBasicAuthWithPhpCgiRedirect()
|
||||||
{
|
{
|
||||||
$bag = new ServerBag(array('REDIRECT_HTTP_AUTHORIZATION' => 'Basic '.base64_encode('foo:bar')));
|
$bag = new ServerBag(array('REDIRECT_HTTP_AUTHORIZATION' => 'Basic '.base64_encode('username:pass:word')));
|
||||||
|
|
||||||
$this->assertEquals(array(
|
$this->assertEquals(array(
|
||||||
'AUTHORIZATION' => 'Basic '.base64_encode('foo:bar'),
|
'AUTHORIZATION' => 'Basic '.base64_encode('username:pass:word'),
|
||||||
'PHP_AUTH_USER' => 'foo',
|
'PHP_AUTH_USER' => 'username',
|
||||||
'PHP_AUTH_PW' => 'bar'
|
'PHP_AUTH_PW' => 'pass:word'
|
||||||
), $bag->getHeaders());
|
), $bag->getHeaders());
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -100,6 +110,17 @@ class ServerBagTest extends \PHPUnit_Framework_TestCase
|
|||||||
), $bag->getHeaders());
|
), $bag->getHeaders());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testHttpDigestAuthWithPhpCgiBogus()
|
||||||
|
{
|
||||||
|
$digest = 'Digest_username="foo", realm="acme", nonce="'.md5('secret').'", uri="/protected, qop="auth"';
|
||||||
|
$bag = new ServerBag(array('HTTP_AUTHORIZATION' => $digest));
|
||||||
|
|
||||||
|
// Username and passwords should not be set as the header is bogus
|
||||||
|
$headers = $bag->getHeaders();
|
||||||
|
$this->assertFalse(isset($headers['PHP_AUTH_USER']));
|
||||||
|
$this->assertFalse(isset($headers['PHP_AUTH_PW']));
|
||||||
|
}
|
||||||
|
|
||||||
public function testHttpDigestAuthWithPhpCgiRedirect()
|
public function testHttpDigestAuthWithPhpCgiRedirect()
|
||||||
{
|
{
|
||||||
$digest = 'Digest username="foo", realm="acme", nonce="'.md5('secret').'", uri="/protected, qop="auth"';
|
$digest = 'Digest username="foo", realm="acme", nonce="'.md5('secret').'", uri="/protected, qop="auth"';
|
||||||
|
Reference in New Issue
Block a user