MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

new: [API] Added unsafe URL parameter to authenticate users 

- for legacy tools that cannot pass headers in HTTP requests for some insane reason
- Needs to be enabled by a site admin - default is that it is disabled
- MISP's diagnostic tool WILL complain if this is ever enabled
pull/3399/head
iglocska 2018-06-27 14:25:40 +02:00
parent 2a892fe9ab
commit 81c0fc2279
2 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
app/Controller/AppController.php
View File

@ -178,10 +178,18 @@ class AppController extends Controller {
// disable CSRF for REST access
if (array_key_exists('Security', $this->components))
$this->Security->csrfCheck = false;
// If enabled, allow passing the API key via a named parameter (for crappy legacy systems only)
$namedParamAuthkey = false;
if (Configure::read('Security.allow_unsafe_apikey_named_param') && !empty($this->params['named']['apikey'])) {
$namedParamAuthkey = $this->params['named']['apikey'];
}
// Authenticate user with authkey in Authorization HTTP header
if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
if (!empty($_SERVER['HTTP_AUTHORIZATION']) || !empty($namedParamAuthkey)) {
$found_misp_auth_key = false;
$authentication = explode(',', $_SERVER['HTTP_AUTHORIZATION']);
if (!empty($namedParamAuthkey)) {
$authentication[] = $namedParamAuthkey;
}
$user = false;
foreach ($authentication as $auth_key) {
if (preg_match('/^[a-zA-Z0-9]{40}$/', trim($auth_key))) {

9
app/Model/Server.php
View File

@ -1056,6 +1056,15 @@ class Server extends AppModel {
'test' => 'testBool',
'type' => 'boolean',
'null' => true
),
'allow_unsafe_apikey_named_param' => array(
'level' => 0,
'description' => 'Allows passing the API key via the named url parameter "apikey" - highly recommended not to enable this, but if you have some dodgy legacy tools that cannot pass the authorization header it can work as a workaround. Again, only use this as a last resort.',
'value' => false,
'errorMessage' => 'You have enabled the passing of API keys via URL parameters. This is highly recommended against, do you really want to reveal APIkeys in your logs?...',
'test' => 'testBoolFalse',
'type' => 'boolean',
'null' => true
)
),
'SecureAuth' => array(