From b4bcd74e60d7013a02268a9b245ad29793bdf516 Mon Sep 17 00:00:00 2001 From: mark_story Date: Mon, 23 Jun 2014 14:39:35 -0400 Subject: [PATCH] Whitelist more URL-y characters in digest parsing. Android clients include a full URL instead of just the URI. Also handle situations where URLencoded bytes and document fragments are used. Refs #3779 --- .../Component/Auth/DigestAuthenticate.php | 4 +--- .../Component/Auth/DigestAuthenticateTest.php | 23 +++++++++++++++++++ 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/lib/Cake/Controller/Component/Auth/DigestAuthenticate.php b/lib/Cake/Controller/Component/Auth/DigestAuthenticate.php index 72fc95de3..cfda4741f 100644 --- a/lib/Cake/Controller/Component/Auth/DigestAuthenticate.php +++ b/lib/Cake/Controller/Component/Auth/DigestAuthenticate.php @@ -1,7 +1,5 @@ 1, 'nc' => 1, 'cnonce' => 1, 'qop' => 1, 'username' => 1, 'uri' => 1, 'response' => 1); - preg_match_all('/(\w+)=([\'"]?)([a-zA-Z0-9@=.\/_-]+)\2/', $digest, $match, PREG_SET_ORDER); + preg_match_all('/(\w+)=([\'"]?)([a-zA-Z0-9\:\#\%@=.\/_-]+)\2/', $digest, $match, PREG_SET_ORDER); foreach ($match as $i) { $keys[$i[1]] = $i[3]; diff --git a/lib/Cake/Test/Case/Controller/Component/Auth/DigestAuthenticateTest.php b/lib/Cake/Test/Case/Controller/Component/Auth/DigestAuthenticateTest.php index 395524751..99a334fbd 100644 --- a/lib/Cake/Test/Case/Controller/Component/Auth/DigestAuthenticateTest.php +++ b/lib/Cake/Test/Case/Controller/Component/Auth/DigestAuthenticateTest.php @@ -242,6 +242,29 @@ DIGEST; $this->assertNull($result); } +/** + * Test parsing a full URI. While not part of the spec some mobile clients will do it wrong. + * + * @return void + */ + public function testParseAuthDataFullUri() { + $digest = <<auth->parseAuthData($digest); + $this->assertSame($expected, $result['uri']); + } + /** * test parsing digest information with email addresses *