diff --git a/VERSION.json b/VERSION.json index 4060db1d3..154f3f75b 100644 --- a/VERSION.json +++ b/VERSION.json @@ -1 +1 @@ -{"major":2, "minor":3, "hotfix":65} +{"major":2, "minor":3, "hotfix":67} diff --git a/app/Controller/AppController.php b/app/Controller/AppController.php index 43380e564..47308687e 100755 --- a/app/Controller/AppController.php +++ b/app/Controller/AppController.php @@ -89,26 +89,30 @@ class AppController extends Controller { $this->Security->csrfCheck = false; // Authenticate user with authkey in Authorization HTTP header if (!empty($_SERVER['HTTP_AUTHORIZATION'])) { + $found_misp_auth_key = false; $authentication = explode(',', $_SERVER['HTTP_AUTHORIZATION']); $user = false; foreach ($authentication as $auth_key) { if (preg_match('/^[a-zA-Z0-9]{40}$/', trim($auth_key))) { + $found_misp_auth_key = true; $user = $this->checkAuthUser(trim($auth_key)); continue; } } - if ($user) { - unset($user['User']['gpgkey']); - // User found in the db, add the user info to the session - $this->Session->renew(); - $this->Session->write(AuthComponent::$sessionKey, $user['User']); - } else { - // User not authenticated correctly - // reset the session information - $this->Session->destroy(); - throw new ForbiddenException('The authentication key provided cannot be used for syncing.'); + if ($found_misp_auth_key) { + if ($user) { + unset($user['User']['gpgkey']); + // User found in the db, add the user info to the session + $this->Session->renew(); + $this->Session->write(AuthComponent::$sessionKey, $user['User']); + } else { + // User not authenticated correctly + // reset the session information + $this->Session->destroy(); + throw new ForbiddenException('The authentication key provided cannot be used for syncing.'); + } + unset($user); } - unset($user); } } else if(!$this->Session->read(AuthComponent::$sessionKey)) { // load authentication plugins from Configure::read('Security.auth') @@ -190,7 +194,8 @@ class AppController extends Controller { public $userRole = null; - protected function _isJson(){ + protected function _isJson($data=false){ + if ($data) return (json_decode($data) != NULL) ? true : false; return $this->request->header('Accept') === 'application/json'; } diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php index 593034ba7..a98ff0d55 100755 --- a/app/Controller/AttributesController.php +++ b/app/Controller/AttributesController.php @@ -1532,7 +1532,7 @@ class AttributesController extends AppController { } if ($from) $from = $this->Attribute->Event->dateFieldCheck($from); - if ($to) $from = $this->Attribute->Event->dateFieldCheck($to); + if ($to) $to = $this->Attribute->Event->dateFieldCheck($to); if (!isset($this->request->params['ext']) || $this->request->params['ext'] !== 'json') { $this->response->type('xml'); // set the content type $this->layout = 'xml/default'; @@ -1772,7 +1772,7 @@ class AttributesController extends AppController { } if ($type === 'null' || $type === '0' || $type === 'false') $type = 'all'; if ($from) $from = $this->Attribute->Event->dateFieldCheck($from); - if ($to) $from = $this->Attribute->Event->dateFieldCheck($to); + if ($to) $to = $this->Attribute->Event->dateFieldCheck($to); if ($key != 'download') { // check if the key is valid -> search for users based on key $user = $this->checkAuthUser($key); diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php index 294658fe7..c3fc02e5b 100755 --- a/app/Controller/EventsController.php +++ b/app/Controller/EventsController.php @@ -1729,7 +1729,7 @@ class EventsController extends AppController { if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false; } if ($from) $from = $this->Event->dateFieldCheck($from); - if ($to) $from = $this->Event->dateFieldCheck($to); + if ($to) $to = $this->Event->dateFieldCheck($to); if ($tags) $tags = str_replace(';', ':', $tags); $eventIdArray = array(); @@ -1809,7 +1809,7 @@ class EventsController extends AppController { } if ($from) $from = $this->Event->dateFieldCheck($from); - if ($to) $from = $this->Event->dateFieldCheck($to); + if ($to) $to = $this->Event->dateFieldCheck($to); if ($tags) $tags = str_replace(';', ':', $tags); // backwards compatibility, swap key and format if ($format != 'snort' && $format != 'suricata') { @@ -1847,7 +1847,7 @@ class EventsController extends AppController { } if ($from) $from = $this->Event->dateFieldCheck($from); - if ($to) $from = $this->Event->dateFieldCheck($to); + if ($to) $to = $this->Event->dateFieldCheck($to); if ($tags) $tags = str_replace(';', ':', $tags); $this->response->type('txt'); // set the content type $this->header('Content-Disposition: download; filename="misp.' . $type . '.rules"'); @@ -1882,7 +1882,7 @@ class EventsController extends AppController { } if ($from) $from = $this->Event->dateFieldCheck($from); - if ($to) $from = $this->Event->dateFieldCheck($to); + if ($to) $to = $this->Event->dateFieldCheck($to); if ($tags) $tags = str_replace(';', ':', $tags); $list = array(); if ($key != 'download') { @@ -2415,7 +2415,7 @@ class EventsController extends AppController { } if ($from) $from = $this->Event->dateFieldCheck($from); - if ($to) $from = $this->Event->dateFieldCheck($to); + if ($to) $to = $this->Event->dateFieldCheck($to); if ($tags) $tags = str_replace(';', ':', $tags); if ($searchall === 'true') $searchall = "1"; @@ -2992,7 +2992,7 @@ class EventsController extends AppController { if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false; } if ($from) $from = $this->Event->dateFieldCheck($from); - if ($to) $from = $this->Event->dateFieldCheck($to); + if ($to) $to = $this->Event->dateFieldCheck($to); // set null if a null string is passed $numeric = false;