security symfony#11829 n/a (damz, fabpot)

This PR was merged into the 2.3 branch. Discussion ---------- n/a n/a Commits ------- 3b4046e [HttpFoundation] added some missing tests cefe237 fix parsing of Authorization header
fgueguen · Sep 3, 2014 · e30bb17 · e30bb17
2 parents 0aaabbf + 3b4046e
commit e30bb17
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 7 deletions.
diff --git a/src/Symfony/Component/HttpFoundation/ServerBag.php b/src/Symfony/Component/HttpFoundation/ServerBag.php
@@ -65,13 +65,13 @@ public function getHeaders()
             }
 
             if (null !== $authorizationHeader) {
-                if (0 === stripos($authorizationHeader, 'basic')) {
+                if (0 === stripos($authorizationHeader, 'basic ')) {
                     // Decode AUTHORIZATION header into PHP_AUTH_USER and PHP_AUTH_PW when authorization header is basic
-                    $exploded = explode(':', base64_decode(substr($authorizationHeader, 6)));
+                    $exploded = explode(':', base64_decode(substr($authorizationHeader, 6)), 2);
                     if (count($exploded) == 2) {
                         list($headers['PHP_AUTH_USER'], $headers['PHP_AUTH_PW']) = $exploded;
                     }
-                } elseif (empty($this->parameters['PHP_AUTH_DIGEST']) && (0 === stripos($authorizationHeader, 'digest'))) {
+                } elseif (empty($this->parameters['PHP_AUTH_DIGEST']) && (0 === stripos($authorizationHeader, 'digest '))) {
                     // In some circumstances PHP_AUTH_DIGEST needs to be set
                     $headers['PHP_AUTH_DIGEST'] = $authorizationHeader;
                     $this->parameters['PHP_AUTH_DIGEST'] = $authorizationHeader;

diff --git a/src/Symfony/Component/HttpFoundation/Tests/ServerBagTest.php b/src/Symfony/Component/HttpFoundation/Tests/ServerBagTest.php
@@ -67,14 +67,24 @@ public function testHttpBasicAuthWithPhpCgi()
         ), $bag->getHeaders());
     }
 
+    public function testHttpBasicAuthWithPhpCgiBogus()
+    {
+        $bag = new ServerBag(array('HTTP_AUTHORIZATION' => 'Basic_'.base64_encode('foo:bar')));
+
+        // Username and passwords should not be set as the header is bogus
+        $headers = $bag->getHeaders();
+        $this->assertFalse(isset($headers['PHP_AUTH_USER']));
+        $this->assertFalse(isset($headers['PHP_AUTH_PW']));
+    }
+
     public function testHttpBasicAuthWithPhpCgiRedirect()
     {
-        $bag = new ServerBag(array('REDIRECT_HTTP_AUTHORIZATION' => 'Basic '.base64_encode('foo:bar')));
+        $bag = new ServerBag(array('REDIRECT_HTTP_AUTHORIZATION' => 'Basic '.base64_encode('username:pass:word')));
 
         $this->assertEquals(array(
-            'AUTHORIZATION' => 'Basic '.base64_encode('foo:bar'),
-            'PHP_AUTH_USER' => 'foo',
-            'PHP_AUTH_PW' => 'bar'
+            'AUTHORIZATION' => 'Basic '.base64_encode('username:pass:word'),
+            'PHP_AUTH_USER' => 'username',
+            'PHP_AUTH_PW' => 'pass:word'
         ), $bag->getHeaders());
     }
 
@@ -100,6 +110,17 @@ public function testHttpDigestAuthWithPhpCgi()
         ), $bag->getHeaders());
     }
 
+    public function testHttpDigestAuthWithPhpCgiBogus()
+    {
+        $digest = 'Digest_username="foo", realm="acme", nonce="'.md5('secret').'", uri="/protected, qop="auth"';
+        $bag = new ServerBag(array('HTTP_AUTHORIZATION' => $digest));
+
+        // Username and passwords should not be set as the header is bogus
+        $headers = $bag->getHeaders();
+        $this->assertFalse(isset($headers['PHP_AUTH_USER']));
+        $this->assertFalse(isset($headers['PHP_AUTH_PW']));
+    }
+
     public function testHttpDigestAuthWithPhpCgiRedirect()
     {
         $digest = 'Digest username="foo", realm="acme", nonce="'.md5('secret').'", uri="/protected, qop="auth"';