Archived

forked from https://github.com/symfony/symfony

This repository has been archived on 2023-08-20. You can view files and clone it, but cannot push or open issues or pull requests.

Go to file

Fabien Potencier 54ffd9ebfd merged branch sstok/fix_digest_authentication (PR #5874 ) This PR was merged into the 2.0 branch. Commits ------- `f2cbea3` [Security] remove escape charters from username provided by Digest DigestAuthenticationListener `80f6992` [Security] added test extra for digest authentication `d66b03c` fixed CS `694697d` [Security] Fixed digest authentication `c067586` [Security] Fixed digest authentication Discussion ---------- Fix digest authentication Bug fix: yes Feature addition: no Backwards compatibility break: no Symfony2 tests pass: yes Fixes the following tickets: Todo: - License of the code: MIT Documentation PR: - Replaces: #5485 This adds the missing fixes. My only concerns is the ```\"``` removing. ```\"``` is only needed for the HTTP transport, but keeping them would require to also store the username with the escapes as well. --------------------------------------------------------------------------- by fabpot at 2012-10-30T11:25:28Z The digest authentication mechanism is not that widespread due to its limitation. And the transport is not HTTP, I think we are talking about very few cases. --------------------------------------------------------------------------- by sstok at 2012-10-30T12:49:14Z Apache seems to remove (ignore) escape characters. ```c if (auth_line[0] == '=') { auth_line++; while (apr_isspace(auth_line[0])) { auth_line++; } vv = 0; if (auth_line[0] == '\"') { /* quoted string / auth_line++; while (auth_line[0] != '\"' && auth_line[0] != '\0') { if (auth_line[0] == '\\' && auth_line[1] != '\0') { auth_line++; / escaped char / } value[vv++] = auth_line++; } if (auth_line[0] != '\0') { auth_line++; } } else { /* token / while (auth_line[0] != ',' && auth_line[0] != '\0' && !apr_isspace(auth_line[0])) { value[vv++] = auth_line++; } } value[vv] = '\0'; } ``` But would this change be a BC break for people already using quotes but without a comma and thus they never hit this bug? The change it self is minimum, just calling ```str_replace('\\\\', '\\', str_replace('\\"', '"', $value))``` when getting the username. --------------------------------------------------------------------------- by fabpot at 2012-11-13T13:00:12Z @sstok Doing the same as Apache seems the best option here (just document the BC break). --------------------------------------------------------------------------- by sstok at 2012-11-15T16:05:00Z Hopefully I did this correct, but the needed escapes seem correctly removed. `\"` is changed to `"` `\\` is changed to `\` `\'` it kept as it is, as this needs no correcting. @Vincent-Simonin Can you verify please. --------------------------------------------------------------------------- by Vincent-Simonin at 2012-11-19T09:28:18Z Authentication didn't work with this configuration : ``` providers: in_memory: name: in_memory users: te"st: { password: test, roles: [ 'ROLE_USER' ] } ``` `te"st` was set in authentication form's user field. (Must we also escape `"` in configuration file ?) Tests were performed with nginx. --------------------------------------------------------------------------- by sstok at 2012-11-19T09:33:34Z Yes. YAML escapes using an duplicate quote, like SQL. ```yaml providers: in_memory: name: in_memory users: "te""st": { password: test, roles: [ 'ROLE_USER' ] } ```		2012-11-19 14:04:22 +01:00
src/Symfony	merged branch sstok/fix_digest_authentication (PR #5874 )	2012-11-19 14:04:22 +01:00
tests	merged branch sstok/fix_digest_authentication (PR #5874 )	2012-11-19 14:04:22 +01:00
.gitignore	add composer to gitignore in 2.0	2012-05-10 16:15:45 +03:00
.travis.yml	Add 5.3.3 to Travis, now is available.	2012-05-28 15:38:15 +03:00
autoload.php.dist	bumped minimal version of Swiftmailer to 4.2.0	2012-06-29 18:02:19 +02:00
CHANGELOG-2.0.md	updated CHANGELOG for 2.0.18	2012-10-25 10:56:03 +02:00
composer.json	Update monolog compatibility	2012-08-19 09:57:44 +02:00
CONTRIBUTING.md	Create CONTRIBUTING.md file for auto-linking in PR's	2012-09-17 14:40:53 -04:00
CONTRIBUTORS.md	update CONTRIBUTORS for 2.0.18	2012-10-25 10:56:32 +02:00
LICENSE	Updated LICENSE files copyright	2012-02-22 10:10:37 +01:00
phpunit.xml.dist	[Security] cleaned up opt-in to benchmark test	2011-03-06 20:06:13 +01:00
README.md	point the status icon to 2.0	2011-11-22 20:15:25 +01:00
UPDATE.ja.md	updated translation of UPDATE file (Japanese RC5 added)	2011-07-30 02:08:25 +09:00
UPDATE.md	UPDATE.md: trivial markdown syntax fix	2011-11-15 10:19:29 -08:00
vendors.php	updated vendors for 2.0.18	2012-10-25 10:54:02 +02:00

README.md

README

What is Symfony2?

Symfony2 is a PHP 5.3 full-stack web framework. It is written with speed and flexibility in mind. It allows developers to build better and easy to maintain websites with PHP.

Symfony can be used to develop all kind of websites, from your personal blog to high traffic ones like Dailymotion or Yahoo! Answers.

Requirements

Symfony2 is only supported on PHP 5.3.2 and up.

Installation

The best way to install Symfony2 is to download the Symfony Standard Edition available at http://symfony.com/download.

Documentation

The "Quick Tour" tutorial gives you a first feeling of the framework. If, like us, you think that Symfony2 can help speed up your development and take the quality of your work to the next level, read the official Symfony2 documentation.

Contributing

Symfony2 is an open source, community-driven project. If you'd like to contribute, please read the Contributing Code part of the documentation. If you're submitting a pull request, please follow the guidelines in the Submitting a Patch section.