Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Skip extensions for notFound and badRequest #2867

Closed
hueniverse opened this issue Oct 21, 2015 · 1 comment
Closed

Skip extensions for notFound and badRequest #2867

hueniverse opened this issue Oct 21, 2015 · 1 comment
Assignees
Labels
breaking changes Change that can breaking existing code bug Bug or defect security Issue with security impact
Milestone

Comments

@hueniverse
Copy link
Contributor

Only execute onRequest and onPreResponse. This is a security issue as it can create a way to execute code that bypasses authentication because the built-in not found and bad request handlers do not support authentication (and cannot).

@hueniverse hueniverse added bug Bug or defect breaking changes Change that can breaking existing code security Issue with security impact labels Oct 21, 2015
@hueniverse hueniverse self-assigned this Oct 26, 2015
@hueniverse hueniverse added this to the 11.0.3 milestone Oct 26, 2015
@hueniverse
Copy link
Contributor Author

While this is a breaking change, it is breaking insecure behavior that is probably unexpected by most developers since they rarely test invalid paths or non-existing paths. It can affect implementations where a required authentication scheme is configured and therefore all other extension points after authentication assume the request has been properly authenticated.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
breaking changes Change that can breaking existing code bug Bug or defect security Issue with security impact
Projects
None yet
Development

No branches or pull requests

1 participant