From 41851d60b466b7740647f73f317494b23ff7344c Mon Sep 17 00:00:00 2001 From: Nicola Beghin Date: Sun, 28 Aug 2016 19:16:59 +0200 Subject: [PATCH 01/13] fix HTTP Basic Auth on FastCGI PHP --- app/webroot/.htaccess | 1 + lib/Cake/Controller/Component/Auth/BasicAuthenticate.php | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/app/webroot/.htaccess b/app/webroot/.htaccess index e3543be40..bb4c43955 100644 --- a/app/webroot/.htaccess +++ b/app/webroot/.htaccess @@ -6,6 +6,7 @@ RewriteEngine On + RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^ index.php [L] diff --git a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php index 02144b171..c0cfbbd54 100644 --- a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php +++ b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php @@ -82,6 +82,15 @@ class BasicAuthenticate extends BaseAuthenticate { * @return mixed Either false or an array of user information */ public function getUser(CakeRequest $request) { + if(!isset($_SERVER['PHP_AUTH_USER'])) { + if (isset($_SERVER['HTTP_AUTHORIZATION']) && (strlen($_SERVER['HTTP_AUTHORIZATION']) > 0)) { + list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); + if( strlen($_SERVER['PHP_AUTH_USER']) == 0 || strlen($_SERVER['PHP_AUTH_PW']) == 0 ) { + unset($_SERVER['PHP_AUTH_USER']); + unset($_SERVER['PHP_AUTH_PW']); + } + } + } $username = env('PHP_AUTH_USER'); $pass = env('PHP_AUTH_PW'); From f5795f05a5409cd6e8ae5b1a8742cf17e346b425 Mon Sep 17 00:00:00 2001 From: Nicola Beghin Date: Wed, 15 Mar 2017 13:59:56 +0100 Subject: [PATCH 02/13] BasicAuthenticate - code styling and strong type comparison --- lib/Cake/Controller/Component/Auth/BasicAuthenticate.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php index c0cfbbd54..fcb0ddec5 100644 --- a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php +++ b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php @@ -85,9 +85,8 @@ class BasicAuthenticate extends BaseAuthenticate { if(!isset($_SERVER['PHP_AUTH_USER'])) { if (isset($_SERVER['HTTP_AUTHORIZATION']) && (strlen($_SERVER['HTTP_AUTHORIZATION']) > 0)) { list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); - if( strlen($_SERVER['PHP_AUTH_USER']) == 0 || strlen($_SERVER['PHP_AUTH_PW']) == 0 ) { - unset($_SERVER['PHP_AUTH_USER']); - unset($_SERVER['PHP_AUTH_PW']); + if(strlen($_SERVER['PHP_AUTH_USER']) === 0 || strlen($_SERVER['PHP_AUTH_PW']) === 0) { + unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); } } } From a15c5c7a70bc742a5ba612084619706c5cc6128b Mon Sep 17 00:00:00 2001 From: Nicola Beghin Date: Wed, 15 Mar 2017 14:08:17 +0100 Subject: [PATCH 03/13] BasicAuthenticate - added check to avoid parsing if "Authorization: Bearer " is in place --- lib/Cake/Controller/Component/Auth/BasicAuthenticate.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php index fcb0ddec5..563fa3071 100644 --- a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php +++ b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php @@ -83,7 +83,7 @@ class BasicAuthenticate extends BaseAuthenticate { */ public function getUser(CakeRequest $request) { if(!isset($_SERVER['PHP_AUTH_USER'])) { - if (isset($_SERVER['HTTP_AUTHORIZATION']) && (strlen($_SERVER['HTTP_AUTHORIZATION']) > 0)) { + if (isset($_SERVER['HTTP_AUTHORIZATION']) && strlen($_SERVER['HTTP_AUTHORIZATION']) > 0 && strpos($_SERVER['HTTP_AUTHORIZATION'], 'basic') !== false) { list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); if(strlen($_SERVER['PHP_AUTH_USER']) === 0 || strlen($_SERVER['PHP_AUTH_PW']) === 0) { unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); From 089a0ae087bf70ac0c2582bb23211eca86da0d93 Mon Sep 17 00:00:00 2001 From: Nicola Beghin Date: Wed, 15 Mar 2017 15:06:39 +0100 Subject: [PATCH 04/13] using $request->header in place of $_SERVER['HTTP_AUTHORIZATION'] --- lib/Cake/Controller/Component/Auth/BasicAuthenticate.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php index 563fa3071..9e6ce8a18 100644 --- a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php +++ b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php @@ -83,8 +83,8 @@ class BasicAuthenticate extends BaseAuthenticate { */ public function getUser(CakeRequest $request) { if(!isset($_SERVER['PHP_AUTH_USER'])) { - if (isset($_SERVER['HTTP_AUTHORIZATION']) && strlen($_SERVER['HTTP_AUTHORIZATION']) > 0 && strpos($_SERVER['HTTP_AUTHORIZATION'], 'basic') !== false) { - list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); + if ($request->header('Authorization') !== false && strlen($request->header('Authorization')) > 0 && strpos($request->header('Authorization'), 'basic') !== false) { + list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($request->header('Authorization'), 6))); if(strlen($_SERVER['PHP_AUTH_USER']) === 0 || strlen($_SERVER['PHP_AUTH_PW']) === 0) { unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); } From 74f700882c22e61cd62df56de5230ce853296e13 Mon Sep 17 00:00:00 2001 From: Nicola Beghin Date: Wed, 15 Mar 2017 16:27:27 +0100 Subject: [PATCH 05/13] local variable optimization --- lib/Cake/Controller/Component/Auth/BasicAuthenticate.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php index 9e6ce8a18..6e5d666ba 100644 --- a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php +++ b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php @@ -83,8 +83,9 @@ class BasicAuthenticate extends BaseAuthenticate { */ public function getUser(CakeRequest $request) { if(!isset($_SERVER['PHP_AUTH_USER'])) { - if ($request->header('Authorization') !== false && strlen($request->header('Authorization')) > 0 && strpos($request->header('Authorization'), 'basic') !== false) { - list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($request->header('Authorization'), 6))); + $httpAuthorization = $request->header('Authorization'); + if ($httpAuthorization !== false && strlen($httpAuthorization) > 0 && strpos($httpAuthorization, 'basic') !== false) { + list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($httpAuthorization, 6))); if(strlen($_SERVER['PHP_AUTH_USER']) === 0 || strlen($_SERVER['PHP_AUTH_PW']) === 0) { unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); } From 5fb1b71cb62b12631a85b139668273b63dfc6f06 Mon Sep 17 00:00:00 2001 From: Nicola Beghin Date: Wed, 15 Mar 2017 17:22:31 +0100 Subject: [PATCH 06/13] code style fix --- .../Controller/Component/Auth/BasicAuthenticate.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) mode change 100644 => 100755 lib/Cake/Controller/Component/Auth/BasicAuthenticate.php diff --git a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php old mode 100644 new mode 100755 index 6e5d666ba..e3a9326c7 --- a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php +++ b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php @@ -84,12 +84,12 @@ class BasicAuthenticate extends BaseAuthenticate { public function getUser(CakeRequest $request) { if(!isset($_SERVER['PHP_AUTH_USER'])) { $httpAuthorization = $request->header('Authorization'); - if ($httpAuthorization !== false && strlen($httpAuthorization) > 0 && strpos($httpAuthorization, 'basic') !== false) { - list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($httpAuthorization, 6))); - if(strlen($_SERVER['PHP_AUTH_USER']) === 0 || strlen($_SERVER['PHP_AUTH_PW']) === 0) { - unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); - } - } + if($httpAuthorization !== false && strlen($httpAuthorization) > 0 && strpos($httpAuthorization, 'basic') !== false) { + list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($httpAuthorization, 6))); + if(strlen($_SERVER['PHP_AUTH_USER']) === 0 || strlen($_SERVER['PHP_AUTH_PW']) === 0) { + unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); + } + } } $username = env('PHP_AUTH_USER'); $pass = env('PHP_AUTH_PW'); From ff210b04d721d28be0c57c7010faf73eb04eefd8 Mon Sep 17 00:00:00 2001 From: Nicola Beghin Date: Wed, 15 Mar 2017 17:32:47 +0100 Subject: [PATCH 07/13] code style --- lib/Cake/Controller/Component/Auth/BasicAuthenticate.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php index e3a9326c7..e5395c8ee 100755 --- a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php +++ b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php @@ -82,11 +82,11 @@ class BasicAuthenticate extends BaseAuthenticate { * @return mixed Either false or an array of user information */ public function getUser(CakeRequest $request) { - if(!isset($_SERVER['PHP_AUTH_USER'])) { + if (!isset($_SERVER['PHP_AUTH_USER'])) { $httpAuthorization = $request->header('Authorization'); - if($httpAuthorization !== false && strlen($httpAuthorization) > 0 && strpos($httpAuthorization, 'basic') !== false) { + if ($httpAuthorization !== false && strlen($httpAuthorization) > 0 && strpos($httpAuthorization, 'basic') !== false) { list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($httpAuthorization, 6))); - if(strlen($_SERVER['PHP_AUTH_USER']) === 0 || strlen($_SERVER['PHP_AUTH_PW']) === 0) { + if (strlen($_SERVER['PHP_AUTH_USER']) === 0 || strlen($_SERVER['PHP_AUTH_PW']) === 0) { unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); } } From ca6ca9376ed9a66a100339bd60595eb8efcf68d2 Mon Sep 17 00:00:00 2001 From: Nicola Beghin Date: Sat, 18 Mar 2017 13:34:26 +0100 Subject: [PATCH 08/13] refactoring to avoid tampering with $_SERVER --- .../Controller/Component/Auth/BasicAuthenticate.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php index e5395c8ee..df9dc3e57 100755 --- a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php +++ b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php @@ -82,17 +82,17 @@ class BasicAuthenticate extends BaseAuthenticate { * @return mixed Either false or an array of user information */ public function getUser(CakeRequest $request) { + $username = ''; + $pass = ''; if (!isset($_SERVER['PHP_AUTH_USER'])) { + $username = env('PHP_AUTH_USER'); + $pass = env('PHP_AUTH_PW'); + } else { $httpAuthorization = $request->header('Authorization'); if ($httpAuthorization !== false && strlen($httpAuthorization) > 0 && strpos($httpAuthorization, 'basic') !== false) { - list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($httpAuthorization, 6))); - if (strlen($_SERVER['PHP_AUTH_USER']) === 0 || strlen($_SERVER['PHP_AUTH_PW']) === 0) { - unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); - } + list($username, $pass) = explode(':', base64_decode(substr($httpAuthorization, 6))); } } - $username = env('PHP_AUTH_USER'); - $pass = env('PHP_AUTH_PW'); if (!is_string($username) || $username === '' || !is_string($pass) || $pass === '') { return false; From 7cd9d4381a26cc3799a7e1209d26439f7779cf31 Mon Sep 17 00:00:00 2001 From: Nicola Beghin Date: Sat, 18 Mar 2017 14:44:44 +0100 Subject: [PATCH 09/13] typo --- lib/Cake/Controller/Component/Auth/BasicAuthenticate.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php index df9dc3e57..29c6e8100 100755 --- a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php +++ b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php @@ -84,7 +84,7 @@ class BasicAuthenticate extends BaseAuthenticate { public function getUser(CakeRequest $request) { $username = ''; $pass = ''; - if (!isset($_SERVER['PHP_AUTH_USER'])) { + if (isset($_SERVER['PHP_AUTH_USER'])) { $username = env('PHP_AUTH_USER'); $pass = env('PHP_AUTH_PW'); } else { From a1eb067c71387de9e8bea4e794ac0b690f58e1fb Mon Sep 17 00:00:00 2001 From: Nicola Beghin Date: Sun, 23 Apr 2017 18:27:09 +0200 Subject: [PATCH 10/13] bugfix basic to Basic --- lib/Cake/Controller/Component/Auth/BasicAuthenticate.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php index 29c6e8100..8e98fda21 100755 --- a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php +++ b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php @@ -89,7 +89,7 @@ class BasicAuthenticate extends BaseAuthenticate { $pass = env('PHP_AUTH_PW'); } else { $httpAuthorization = $request->header('Authorization'); - if ($httpAuthorization !== false && strlen($httpAuthorization) > 0 && strpos($httpAuthorization, 'basic') !== false) { + if ($httpAuthorization !== false && strlen($httpAuthorization) > 0 && strpos($httpAuthorization, 'Basic') !== false) { list($username, $pass) = explode(':', base64_decode(substr($httpAuthorization, 6))); } } From 99d02a8698e8959619b1c5216eeae15dfa9ce205 Mon Sep 17 00:00:00 2001 From: Nicola Beghin Date: Sun, 23 Apr 2017 18:41:45 +0200 Subject: [PATCH 11/13] fix permission --- lib/Cake/Controller/Component/Auth/BasicAuthenticate.php | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 lib/Cake/Controller/Component/Auth/BasicAuthenticate.php diff --git a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php old mode 100755 new mode 100644 From 09a981ba383170d8a56d97fa1b46937150d4ef22 Mon Sep 17 00:00:00 2001 From: Nicola Beghin Date: Sun, 23 Apr 2017 18:44:42 +0200 Subject: [PATCH 12/13] code style fix as requested --- lib/Cake/Controller/Component/Auth/BasicAuthenticate.php | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php index 8e98fda21..b7daa74f4 100644 --- a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php +++ b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php @@ -82,12 +82,9 @@ class BasicAuthenticate extends BaseAuthenticate { * @return mixed Either false or an array of user information */ public function getUser(CakeRequest $request) { - $username = ''; - $pass = ''; - if (isset($_SERVER['PHP_AUTH_USER'])) { - $username = env('PHP_AUTH_USER'); - $pass = env('PHP_AUTH_PW'); - } else { + $username = env('PHP_AUTH_USER'); + $pass = env('PHP_AUTH_PW'); + if (empty($username)) { $httpAuthorization = $request->header('Authorization'); if ($httpAuthorization !== false && strlen($httpAuthorization) > 0 && strpos($httpAuthorization, 'Basic') !== false) { list($username, $pass) = explode(':', base64_decode(substr($httpAuthorization, 6))); From 275385d676c8c59ec2af9db4b6a29b8d1edf7404 Mon Sep 17 00:00:00 2001 From: mark_story Date: Fri, 28 Apr 2017 21:48:31 -0400 Subject: [PATCH 13/13] Add test covering basic auth reading from headers. In some FastCGI setups basic auth values will only be present in the header. Fallback to reading that value if the PHP_AUTH super globals are empty. Refs #9365 --- .../Component/Auth/BasicAuthenticate.php | 4 ++-- .../Component/Auth/BasicAuthenticateTest.php | 24 +++++++++++++++++-- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php index b7daa74f4..86f70c8ca 100644 --- a/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php +++ b/lib/Cake/Controller/Component/Auth/BasicAuthenticate.php @@ -84,9 +84,9 @@ class BasicAuthenticate extends BaseAuthenticate { public function getUser(CakeRequest $request) { $username = env('PHP_AUTH_USER'); $pass = env('PHP_AUTH_PW'); - if (empty($username)) { + if (!strlen($username)) { $httpAuthorization = $request->header('Authorization'); - if ($httpAuthorization !== false && strlen($httpAuthorization) > 0 && strpos($httpAuthorization, 'Basic') !== false) { + if (strlen($httpAuthorization) > 0 && strpos($httpAuthorization, 'Basic') !== false) { list($username, $pass) = explode(':', base64_decode(substr($httpAuthorization, 6))); } } diff --git a/lib/Cake/Test/Case/Controller/Component/Auth/BasicAuthenticateTest.php b/lib/Cake/Test/Case/Controller/Component/Auth/BasicAuthenticateTest.php index df18703c4..af5086caf 100644 --- a/lib/Cake/Test/Case/Controller/Component/Auth/BasicAuthenticateTest.php +++ b/lib/Cake/Test/Case/Controller/Component/Auth/BasicAuthenticateTest.php @@ -15,8 +15,6 @@ * @since CakePHP(tm) v 2.0 * @license http://www.opensource.org/licenses/mit-license.php MIT License */ - -App::uses('AuthComponent', 'Controller/Component'); App::uses('BasicAuthenticate', 'Controller/Component/Auth'); App::uses('AppModel', 'Model'); App::uses('CakeRequest', 'Network'); @@ -197,6 +195,28 @@ class BasicAuthenticateTest extends CakeTestCase { $this->assertEquals($expected, $result); } +/** + * test authenticate success with header values + * + * @return void + */ + public function testAuthenticateSuccessFromHeaders() { + $_SERVER['HTTP_AUTHORIZATION'] = 'Basic ' . base64_encode('mariano:password'); + unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); + + $request = new CakeRequest('posts/index', false); + $request->addParams(array('pass' => array(), 'named' => array())); + + $result = $this->auth->authenticate($request, $this->response); + $expected = array( + 'id' => 1, + 'user' => 'mariano', + 'created' => '2007-03-17 01:16:23', + 'updated' => '2007-03-17 01:18:31' + ); + $this->assertEquals($expected, $result); + } + /** * test contain success *