-
Notifications
You must be signed in to change notification settings - Fork 65
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Authentication could be bypassed if URI had multiple slashes
RequestPathRule now removes multiple slashes from the URI before determining whether the path should be authenticated or not. For client /foo and //foo are different URIs. On server side it depends on implementation but they usually map to the same route action. Different PSR-7 implementations were behaving in different way. Diactoros removes multiple leading slashes while Slim does not. * If you are authenticating a subfolder, for example /api, with Slim was possible to bypass authentication by doing a request to //api. * If you are using default setting of authenticating all routes you were not affected. * Diactoros was not affected. See tuupola/slim-jwt-auth#50
- Loading branch information
Showing
3 changed files
with
109 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
# Changelog | ||
|
||
All notable changes to this project will be documented in this file, in reverse chronological order by release. | ||
|
||
## 2.2.2 - 2017-02-27 | ||
|
||
This is a security release. | ||
|
||
`RequestPathRule` now removes multiple slashes from the URI before determining whether the path should be authenticated or not. For client `/foo` and `//foo` are different URIs. On server side it depends on implementation but they usually map to the same route action. | ||
|
||
Different PSR-7 implementations were behaving in different way. Diactoros [removes multiple leading slashes](https://github.com/zendframework/zend-diactoros/blob/master/CHANGELOG.md#104---2015-06-23) while Slim does not. | ||
|
||
This means if you are authenticating a subfolder, for example `/api`, with Slim it was possible to bypass authentication by doing a request to `GET //api`. Diactoros was not affected. | ||
|
||
```php | ||
$app->add(new \Slim\Middleware\HttpBasicAuthentication([ | ||
"path" => "/api", | ||
"users" => [ | ||
"root" => "t00r", | ||
"somebody" => "passw0rd" | ||
] | ||
])); | ||
``` | ||
|
||
If you were using default setting of authenticating all routes you were not affected. | ||
|
||
```php | ||
$app->add(new \Slim\Middleware\HttpBasicAuthentication([ | ||
"users" => [ | ||
"root" => "t00r", | ||
"somebody" => "passw0rd" | ||
] | ||
])); | ||
``` | ||
|
||
### Added | ||
|
||
- Nothing. | ||
|
||
### Deprecated | ||
|
||
- Nothing. | ||
|
||
### Removed | ||
|
||
- Nothing. | ||
|
||
### Fixed | ||
|
||
- Ported fix for bug [slim-jwt-auth/50](https://github.com/tuupola/slim-jwt-auth/issues/50) where in some cases it was possible to bypass authentication by adding multiple slashes to request URI. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters