[Security] remove escape charters from username provided by Digest DigestAuthenticationListener
This commit is contained in:
parent
80f6992a41
commit
f2cbea3b30
@ -157,7 +157,7 @@ class DigestData
|
|||||||
|
|
||||||
public function getUsername()
|
public function getUsername()
|
||||||
{
|
{
|
||||||
return $this->elements['username'];
|
return strtr($this->elements['username'], array("\\\"" => "\"", "\\\\" => "\\"));
|
||||||
}
|
}
|
||||||
|
|
||||||
public function validateAndDecode($entryPointKey, $expectedRealm)
|
public function validateAndDecode($entryPointKey, $expectedRealm)
|
||||||
|
@ -48,7 +48,7 @@ class DigestDataTest extends \PHPUnit_Framework_TestCase
|
|||||||
'response="b52938fc9e6d7c01be7702ece9031b42"'
|
'response="b52938fc9e6d7c01be7702ece9031b42"'
|
||||||
);
|
);
|
||||||
|
|
||||||
$this->assertEquals('\"user\"', $digestAuth->getUsername());
|
$this->assertEquals('"user"', $digestAuth->getUsername());
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testGetUsernameWithQuoteAndEscape()
|
public function testGetUsernameWithQuoteAndEscape()
|
||||||
@ -60,7 +60,7 @@ class DigestDataTest extends \PHPUnit_Framework_TestCase
|
|||||||
'response="b52938fc9e6d7c01be7702ece9031b42"'
|
'response="b52938fc9e6d7c01be7702ece9031b42"'
|
||||||
);
|
);
|
||||||
|
|
||||||
$this->assertEquals('\"u\\\\\"ser\"', $digestAuth->getUsername());
|
$this->assertEquals('"u\\"ser"', $digestAuth->getUsername());
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testGetUsernameWithSingleQuote()
|
public function testGetUsernameWithSingleQuote()
|
||||||
@ -72,7 +72,19 @@ class DigestDataTest extends \PHPUnit_Framework_TestCase
|
|||||||
'response="b52938fc9e6d7c01be7702ece9031b42"'
|
'response="b52938fc9e6d7c01be7702ece9031b42"'
|
||||||
);
|
);
|
||||||
|
|
||||||
$this->assertEquals('\"u\'ser\"', $digestAuth->getUsername());
|
$this->assertEquals('"u\'ser"', $digestAuth->getUsername());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testGetUsernameWithSingleQuoteAndEscape()
|
||||||
|
{
|
||||||
|
$digestAuth = new DigestData(
|
||||||
|
'username="\"u\\\'ser\"", realm="Welcome, robot!", ' .
|
||||||
|
'nonce="MTM0NzMyMTgyMy42NzkzOmRlZjM4NmIzOGNjMjE0OWJiNDU0MDAxNzJmYmM1MmZl", ' .
|
||||||
|
'uri="/path/info?p1=5&p2=5", cnonce="MDIwODkz", nc=00000001, qop="auth", ' .
|
||||||
|
'response="b52938fc9e6d7c01be7702ece9031b42"'
|
||||||
|
);
|
||||||
|
|
||||||
|
$this->assertEquals('"u\\\'ser"', $digestAuth->getUsername());
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testGetUsernameWithEscape()
|
public function testGetUsernameWithEscape()
|
||||||
@ -84,7 +96,7 @@ class DigestDataTest extends \PHPUnit_Framework_TestCase
|
|||||||
'response="b52938fc9e6d7c01be7702ece9031b42"'
|
'response="b52938fc9e6d7c01be7702ece9031b42"'
|
||||||
);
|
);
|
||||||
|
|
||||||
$this->assertEquals('\"u\\ser\"', $digestAuth->getUsername());
|
$this->assertEquals('"u\\ser"', $digestAuth->getUsername());
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testValidateAndDecode()
|
public function testValidateAndDecode()
|
||||||
|
Reference in New Issue
Block a user