Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Skip extensions for notFound and badRequest #2867

Closed
hueniverse opened this issue Oct 21, 2015 · 1 comment
Closed

Skip extensions for notFound and badRequest #2867

hueniverse opened this issue Oct 21, 2015 · 1 comment

Comments

@hueniverse
Copy link
Contributor

@hueniverse hueniverse commented Oct 21, 2015

Only execute onRequest and onPreResponse. This is a security issue as it can create a way to execute code that bypasses authentication because the built-in not found and bad request handlers do not support authentication (and cannot).

@hueniverse
Copy link
Contributor Author

@hueniverse hueniverse commented Oct 26, 2015

While this is a breaking change, it is breaking insecure behavior that is probably unexpected by most developers since they rarely test invalid paths or non-existing paths. It can affect implementations where a required authentication scheme is configured and therefore all other extension points after authentication assume the request has been properly authenticated.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant