mirror of https://github.com/MISP/MISP
new: [API] Added unsafe URL parameter to authenticate users
- for legacy tools that cannot pass headers in HTTP requests for some insane reason - Needs to be enabled by a site admin - default is that it is disabled - MISP's diagnostic tool WILL complain if this is ever enabledpull/3399/head
parent
2a892fe9ab
commit
81c0fc2279
|
@ -178,10 +178,18 @@ class AppController extends Controller {
|
|||
// disable CSRF for REST access
|
||||
if (array_key_exists('Security', $this->components))
|
||||
$this->Security->csrfCheck = false;
|
||||
// If enabled, allow passing the API key via a named parameter (for crappy legacy systems only)
|
||||
$namedParamAuthkey = false;
|
||||
if (Configure::read('Security.allow_unsafe_apikey_named_param') && !empty($this->params['named']['apikey'])) {
|
||||
$namedParamAuthkey = $this->params['named']['apikey'];
|
||||
}
|
||||
// Authenticate user with authkey in Authorization HTTP header
|
||||
if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
|
||||
if (!empty($_SERVER['HTTP_AUTHORIZATION']) || !empty($namedParamAuthkey)) {
|
||||
$found_misp_auth_key = false;
|
||||
$authentication = explode(',', $_SERVER['HTTP_AUTHORIZATION']);
|
||||
if (!empty($namedParamAuthkey)) {
|
||||
$authentication[] = $namedParamAuthkey;
|
||||
}
|
||||
$user = false;
|
||||
foreach ($authentication as $auth_key) {
|
||||
if (preg_match('/^[a-zA-Z0-9]{40}$/', trim($auth_key))) {
|
||||
|
|
|
@ -1056,6 +1056,15 @@ class Server extends AppModel {
|
|||
'test' => 'testBool',
|
||||
'type' => 'boolean',
|
||||
'null' => true
|
||||
),
|
||||
'allow_unsafe_apikey_named_param' => array(
|
||||
'level' => 0,
|
||||
'description' => 'Allows passing the API key via the named url parameter "apikey" - highly recommended not to enable this, but if you have some dodgy legacy tools that cannot pass the authorization header it can work as a workaround. Again, only use this as a last resort.',
|
||||
'value' => false,
|
||||
'errorMessage' => 'You have enabled the passing of API keys via URL parameters. This is highly recommended against, do you really want to reveal APIkeys in your logs?...',
|
||||
'test' => 'testBoolFalse',
|
||||
'type' => 'boolean',
|
||||
'null' => true
|
||||
)
|
||||
),
|
||||
'SecureAuth' => array(
|
||||
|
|
Loading…
Reference in New Issue