Adding extra slashes after domain name in url allows you to bypass JWT Authentication #50
Comments
|
Add a logger or error handler to debug why the the authentication fails. https://github.com/tuupola/slim-jwt-auth#logger |
|
HTTP 401 Unauthorized is expected because I made the request without the token in the Authorization header. (I forgot to mention it in the first comment.) |
|
Ok I misunderstood. It seems that even though Will commit a fix soon. |
|
While waiting for your commit, I was able to temporarily fix the issue by replacing: |
|
Yep, this is what I did: |
RequestPathRule now removes multiple slashes from the URI before
determining whether the path should be authenticated or not. For client
/foo and //foo are different URIs. On server side it depends on
implementation but they usually map to the same route action.
Different PSR-7 implementations were behaving in different way. Diactoros
removes multiple leading slashes while Slim does not.
* If you are authenticating a subfolder, for example /api, with Slim
was possible to bypass authentication by doing a request to //api.
* If you are using default setting of authenticating all routes you
were not affected.
* Diactoros was not affected.
Fixes bug #50.
If you were using default setting of authenticating all routes you were not affected.
This currently breaks encrypted cookie tests and they are disabled. Fixes #50 for 1.x branch.
RequestPathRule now removes multiple slashes from the URI before
determining whether the path should be authenticated or not. For
client /foo and //foo are different URIs. On server side it
depends on implementation but they usually map to the same route
action.
Different PSR-7 implementations were behaving in different way.
Diactoros removes multiple leading slashes while Slim does not.
* If you are authenticating a subfolder, for example /api,
with Slim was possible to bypass authentication by doing
a request to //api.
* If you are using default setting of authenticating all
routes you were not affected.
* Diactoros was not affected.
See tuupola/slim-jwt-auth#50
|
Fixed in |
RequestPathRule now removes multiple slashes from the URI before
determining whether the path should be authenticated or not. For client
/foo and //foo are different URIs. On server side it depends on
implementation but they usually map to the same route action.
Different PSR-7 implementations were behaving in different way. Diactoros
removes multiple leading slashes while Slim does not.
* If you are authenticating a subfolder, for example /api, with Slim
was possible to bypass authentication by doing a request to //api.
* If you are using default setting of authenticating all routes you
were not affected.
* Diactoros was not affected.
Fixes bug #50.
If you were using default setting of authenticating all routes you were not affected.
The following array was passed to JwtAuthentication class constructor:
Sending an HTTP request to "http://localhost/api/v1/restricted" returns HTTP 401 Unauthorized but for some reason I am able to bypass JWT authentication by adding one or more extra slashes after the domain name. e.g. "http://localhost//api/v1/restricted"
The text was updated successfully, but these errors were encountered: