diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2023-08-20. You can view files and clone it, but cannot push or open issues or pull requests.
54ffd9ebfd
symfony/tests/Symfony/Tests/Component
History
Fabien Potencier 54ffd9ebfd merged branch sstok/fix_digest_authentication (PR #5874) 
This PR was merged into the 2.0 branch.

Commits
-------

f2cbea3 [Security] remove escape charters from username provided by Digest DigestAuthenticationListener
80f6992 [Security] added test extra for digest authentication
d66b03c fixed CS
694697d [Security] Fixed digest authentication
c067586 [Security] Fixed digest authentication

Discussion
----------

Fix digest authentication

Bug fix: yes
Feature addition: no
Backwards compatibility break: no
Symfony2 tests pass: yes
Fixes the following tickets:
Todo: -
License of the code: MIT
Documentation PR: -
Replaces: #5485

This adds the missing fixes.

My only concerns is the ```\"``` removing.
```\"``` is only needed for the HTTP transport, but keeping them would require to also store the username with the escapes as well.

---------------------------------------------------------------------------

by fabpot at 2012-10-30T11:25:28Z

The digest authentication mechanism is not that widespread due to its limitation. And the transport is not HTTP, I think we are talking about very few cases.

---------------------------------------------------------------------------

by sstok at 2012-10-30T12:49:14Z

Apache seems to remove (ignore) escape characters.

```c
if (auth_line[0] == '=') {
            auth_line++;
            while (apr_isspace(auth_line[0])) {
                auth_line++;
            }

            vv = 0;
            if (auth_line[0] == '\"') {         /* quoted string */
                auth_line++;
                while (auth_line[0] != '\"' && auth_line[0] != '\0') {
                    if (auth_line[0] == '\\' && auth_line[1] != '\0') {
                        auth_line++;            /* escaped char */
                    }
                    value[vv++] = *auth_line++;
                }
                if (auth_line[0] != '\0') {
                    auth_line++;
                }
            }
            else {                               /* token */
                while (auth_line[0] != ',' && auth_line[0] != '\0'
                       && !apr_isspace(auth_line[0])) {
                    value[vv++] = *auth_line++;
                }
            }
            value[vv] = '\0';
        }
```

But would this change be a BC break for people already using quotes but without a comma and thus they never hit this bug?

The change it self is minimum, just calling ```str_replace('\\\\', '\\', str_replace('\\"', '"', $value))``` when getting the username.

---------------------------------------------------------------------------

by fabpot at 2012-11-13T13:00:12Z

@sstok Doing the same as Apache seems the best option here (just document the BC break).

---------------------------------------------------------------------------

by sstok at 2012-11-15T16:05:00Z

Hopefully I did this correct, but the needed escapes seem correctly removed.
`\"` is changed to `"` `\\` is changed to `\`
`\'` it kept as it is, as this needs no correcting.

@Vincent-Simonin Can you verify please.

---------------------------------------------------------------------------

by Vincent-Simonin at 2012-11-19T09:28:18Z

Authentication didn't work with this configuration :

```
providers:
    in_memory:
        name: in_memory
        users:
            te"st: { password: test, roles: [ 'ROLE_USER' ] }
```

`te"st` was set in authentication form's user field.

(Must we also escape `"` in configuration file ?)

Tests were performed with nginx.

---------------------------------------------------------------------------

by sstok at 2012-11-19T09:33:34Z

Yes. YAML escapes using an duplicate quote, like SQL.

```yaml
providers:
    in_memory:
        name: in_memory
        users:
            "te""st": { password: test, roles: [ 'ROLE_USER' ] }
```
2012-11-19 14:04:22 +01:00
..
BrowserKit fixed CS 2012-03-11 17:59:42 +01:00
ClassLoader [ClassLoader] fixed unbracketed namespaces (closes #5747) 2012-10-27 17:55:46 +02:00
Config fixed CS (mainly method signatures) 2012-07-09 14:43:50 +02:00
Console Show correct class name InputArgument in error message 2012-11-05 14:52:03 -05:00
CssSelector [CssSelector] ignored an optional whitespace after a combinator 2012-05-13 09:14:40 +02:00
DependencyInjection prevents injection of malicious doc types 2012-08-28 08:43:14 +02:00
DomCrawler Update src/Symfony/Component/DomCrawler/Tests/FormTest.php 2012-11-19 13:41:38 +01:00
EventDispatcher [EventDispatcher] Fixed E_NOTICES with multiple eventnames per subscriber with mixed priorities 2012-04-12 15:56:02 +05:45
Finder fixed CS (mainly method signatures) 2012-07-09 14:43:50 +02:00
Form [Form] Excluded some tests in NumberToLocalizedStringTransformerTest which fail on ICU 4.4, but work on ICU 4.8 2012-11-08 18:34:46 +01:00
HttpFoundation [HttpFoundation] Make host & methods really case insensitive in the RequestMacther 2012-11-12 13:39:12 +01:00
HttpKernel Add check to Store::unlock to ensure file exists 2012-08-29 16:45:40 +10:00
Locale fixed CS (mainly method signatures) 2012-07-09 14:43:50 +02:00
Process [Process] fix ProcessTest::testProcessPipes hangs on Windows on branch 2.0 2012-08-25 23:29:32 +04:00
Routing prevents injection of malicious doc types 2012-08-28 08:43:14 +02:00
Security [Security] remove escape charters from username provided by Digest DigestAuthenticationListener 2012-11-15 16:54:04 +01:00
Serializer refined previous commit 2012-08-28 08:43:14 +02:00
Templating fixed CS (mainly method signatures) 2012-07-09 14:43:50 +02:00
Translation prevents injection of malicious doc types 2012-08-28 08:43:14 +02:00
Validator prevents injection of malicious doc types 2012-08-28 08:43:14 +02:00
Yaml fixed CS (mainly method signatures) 2012-07-09 14:43:50 +02:00