Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent some XSS issues with the api #1030

Merged
merged 4 commits into from Aug 27, 2015
Merged

Prevent some XSS issues with the api #1030

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
16a8387
Refs #1028: Sessions must be destroyed after each API call.
mapkyca Aug 27, 2015
0d41727
Refs #1028: Shortcircuiting HMAC validation for logged in users opens…
mapkyca Aug 27, 2015
d009caa
Refs #1028: I think this is what you meant...
mapkyca Aug 27, 2015
b6ee8e4
Closes #1028: Set HTTP header in API so api knows where to go next. (…
mapkyca Aug 27, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 5 additions & 1 deletion Idno/Common/Page.php
View file
Open in desktop
Expand Up @@ -505,9 +505,13 @@ function forward($location = '', $exit = true)
}
*/

if (!\Idno\Core\site()->session()->isAPIRequest() || $this->response == 200) {
if (!\Idno\Core\site()->session()->isAPIRequest() && $this->response == 200) {
header('Location: ' . $location);
}
elseif (\Idno\Core\site()->session()->isAPIRequest()) {
header('X-Known-API-Location: ' . $location);
}

if ($exit) {
exit;
}
Expand Down
14 changes: 9 additions & 5 deletions Idno/Core/Session.php
View file
Open in desktop
Expand Up @@ -85,8 +85,16 @@ function init()
}

});

// If this is an API request, we need to destroy the session afterwards. See #1028
register_shutdown_function(function () {
$session = site()->session();
if ($session && $session->isAPIRequest()) {
$session->logUserOff();
}
});
}

/**
* Validate the session.
* @throws \Exception if the session is invalid.
Expand Down Expand Up @@ -372,10 +380,6 @@ function APIlogin()

if ($user = \Idno\Entities\User::getByHandle($_SERVER['HTTP_X_KNOWN_USERNAME'])) {

// Short circuit authentication, since this user is already logged in. Needed to resolve #595
if (\Idno\Core\site()->session()->currentUser() && \Idno\Core\site()->session()->currentUser()->getUUID() == $user->getUUID())
return $user;

$key = $user->getAPIkey();
$hmac = trim($_SERVER['HTTP_X_KNOWN_SIGNATURE']);
$compare_hmac = base64_encode(hash_hmac('sha256', $_SERVER['REQUEST_URI'], $key, true));
Expand Down