New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding extra slashes after domain name in url allows you to bypass JWT Authentication #50
Comments
Add a logger or error handler to debug why the the authentication fails. https://github.com/tuupola/slim-jwt-auth#logger |
HTTP 401 Unauthorized is expected because I made the request without the token in the Authorization header. (I forgot to mention it in the first comment.) |
Ok I misunderstood. It seems that even though Will commit a fix soon. |
While waiting for your commit, I was able to temporarily fix the issue by replacing: |
Yep, this is what I did: |
RequestPathRule now removes multiple slashes from the URI before determining whether the path should be authenticated or not. For client /foo and //foo are different URIs. On server side it depends on implementation but they usually map to the same route action. Different PSR-7 implementations were behaving in different way. Diactoros removes multiple leading slashes while Slim does not. * If you are authenticating a subfolder, for example /api, with Slim was possible to bypass authentication by doing a request to //api. * If you are using default setting of authenticating all routes you were not affected. * Diactoros was not affected. Fixes bug #50. If you were using default setting of authenticating all routes you were not affected.
This currently breaks encrypted cookie tests and they are disabled. Fixes #50 for 1.x branch.
RequestPathRule now removes multiple slashes from the URI before determining whether the path should be authenticated or not. For client /foo and //foo are different URIs. On server side it depends on implementation but they usually map to the same route action. Different PSR-7 implementations were behaving in different way. Diactoros removes multiple leading slashes while Slim does not. * If you are authenticating a subfolder, for example /api, with Slim was possible to bypass authentication by doing a request to //api. * If you are using default setting of authenticating all routes you were not affected. * Diactoros was not affected. See tuupola/slim-jwt-auth#50
Fixed in |
RequestPathRule now removes multiple slashes from the URI before determining whether the path should be authenticated or not. For client /foo and //foo are different URIs. On server side it depends on implementation but they usually map to the same route action. Different PSR-7 implementations were behaving in different way. Diactoros removes multiple leading slashes while Slim does not. * If you are authenticating a subfolder, for example /api, with Slim was possible to bypass authentication by doing a request to //api. * If you are using default setting of authenticating all routes you were not affected. * Diactoros was not affected. Fixes bug #50. If you were using default setting of authenticating all routes you were not affected.
The following array was passed to JwtAuthentication class constructor:
Sending an HTTP request to "http://localhost/api/v1/restricted" returns HTTP 401 Unauthorized but for some reason I am able to bypass JWT authentication by adding one or more extra slashes after the domain name. e.g. "http://localhost//api/v1/restricted"
The text was updated successfully, but these errors were encountered: