From c02aeb88029b8831e8b821ce84712c0675be5a30 Mon Sep 17 00:00:00 2001 From: iglocska Date: Sat, 16 May 2015 01:31:18 +0200 Subject: [PATCH 1/2] Fix to copy pasta issue breaking from/to filters in exports, fixes #494 --- VERSION.json | 2 +- app/Controller/AttributesController.php | 4 ++-- app/Controller/EventsController.php | 12 ++++++------ 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/VERSION.json b/VERSION.json index 4060db1d3..b1367565c 100644 --- a/VERSION.json +++ b/VERSION.json @@ -1 +1 @@ -{"major":2, "minor":3, "hotfix":65} +{"major":2, "minor":3, "hotfix":66} diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php index 44983df30..e9169d991 100755 --- a/app/Controller/AttributesController.php +++ b/app/Controller/AttributesController.php @@ -1531,7 +1531,7 @@ class AttributesController extends AppController { } if ($from) $from = $this->Attribute->Event->dateFieldCheck($from); - if ($to) $from = $this->Attribute->Event->dateFieldCheck($to); + if ($to) $to = $this->Attribute->Event->dateFieldCheck($to); if (!isset($this->request->params['ext']) || $this->request->params['ext'] !== 'json') { $this->response->type('xml'); // set the content type $this->layout = 'xml/default'; @@ -1771,7 +1771,7 @@ class AttributesController extends AppController { } if ($type === 'null' || $type === '0' || $type === 'false') $type = 'all'; if ($from) $from = $this->Attribute->Event->dateFieldCheck($from); - if ($to) $from = $this->Attribute->Event->dateFieldCheck($to); + if ($to) $to = $this->Attribute->Event->dateFieldCheck($to); if ($key != 'download') { // check if the key is valid -> search for users based on key $user = $this->checkAuthUser($key); diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php index cdc4df007..1e1a180ea 100755 --- a/app/Controller/EventsController.php +++ b/app/Controller/EventsController.php @@ -1726,7 +1726,7 @@ class EventsController extends AppController { if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false; } if ($from) $from = $this->Event->dateFieldCheck($from); - if ($to) $from = $this->Event->dateFieldCheck($to); + if ($to) $to = $this->Event->dateFieldCheck($to); if ($tags) $tags = str_replace(';', ':', $tags); $eventIdArray = array(); @@ -1806,7 +1806,7 @@ class EventsController extends AppController { } if ($from) $from = $this->Event->dateFieldCheck($from); - if ($to) $from = $this->Event->dateFieldCheck($to); + if ($to) $to = $this->Event->dateFieldCheck($to); if ($tags) $tags = str_replace(';', ':', $tags); // backwards compatibility, swap key and format if ($format != 'snort' && $format != 'suricata') { @@ -1844,7 +1844,7 @@ class EventsController extends AppController { } if ($from) $from = $this->Event->dateFieldCheck($from); - if ($to) $from = $this->Event->dateFieldCheck($to); + if ($to) $to = $this->Event->dateFieldCheck($to); if ($tags) $tags = str_replace(';', ':', $tags); $this->response->type('txt'); // set the content type $this->header('Content-Disposition: download; filename="misp.' . $type . '.rules"'); @@ -1879,7 +1879,7 @@ class EventsController extends AppController { } if ($from) $from = $this->Event->dateFieldCheck($from); - if ($to) $from = $this->Event->dateFieldCheck($to); + if ($to) $to = $this->Event->dateFieldCheck($to); if ($tags) $tags = str_replace(';', ':', $tags); $list = array(); if ($key != 'download') { @@ -2412,7 +2412,7 @@ class EventsController extends AppController { } if ($from) $from = $this->Event->dateFieldCheck($from); - if ($to) $from = $this->Event->dateFieldCheck($to); + if ($to) $to = $this->Event->dateFieldCheck($to); if ($tags) $tags = str_replace(';', ':', $tags); if ($searchall === 'true') $searchall = "1"; @@ -2989,7 +2989,7 @@ class EventsController extends AppController { if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false; } if ($from) $from = $this->Event->dateFieldCheck($from); - if ($to) $from = $this->Event->dateFieldCheck($to); + if ($to) $to = $this->Event->dateFieldCheck($to); // set null if a null string is passed $numeric = false; From 85e52810a4facd9ee2885f7e3d8fc132d3b8d735 Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 20 May 2015 16:32:04 +0200 Subject: [PATCH 2/2] Ignoring non MISP AUTHORIZATION headers, fixes #478 - Users being logged on would not be able to use the actions that are also used for automation - Those actions trigger a check of the authorization header, which in certain use cases can be set with values that is outside of the scope of MISP - MISP will now try to only detect MISP auth keys in the headers and if it detects something else it ignores it --- VERSION.json | 2 +- app/Controller/AppController.php | 29 +++++++++++++++++------------ 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/VERSION.json b/VERSION.json index b1367565c..154f3f75b 100644 --- a/VERSION.json +++ b/VERSION.json @@ -1 +1 @@ -{"major":2, "minor":3, "hotfix":66} +{"major":2, "minor":3, "hotfix":67} diff --git a/app/Controller/AppController.php b/app/Controller/AppController.php index 43380e564..47308687e 100755 --- a/app/Controller/AppController.php +++ b/app/Controller/AppController.php @@ -89,26 +89,30 @@ class AppController extends Controller { $this->Security->csrfCheck = false; // Authenticate user with authkey in Authorization HTTP header if (!empty($_SERVER['HTTP_AUTHORIZATION'])) { + $found_misp_auth_key = false; $authentication = explode(',', $_SERVER['HTTP_AUTHORIZATION']); $user = false; foreach ($authentication as $auth_key) { if (preg_match('/^[a-zA-Z0-9]{40}$/', trim($auth_key))) { + $found_misp_auth_key = true; $user = $this->checkAuthUser(trim($auth_key)); continue; } } - if ($user) { - unset($user['User']['gpgkey']); - // User found in the db, add the user info to the session - $this->Session->renew(); - $this->Session->write(AuthComponent::$sessionKey, $user['User']); - } else { - // User not authenticated correctly - // reset the session information - $this->Session->destroy(); - throw new ForbiddenException('The authentication key provided cannot be used for syncing.'); + if ($found_misp_auth_key) { + if ($user) { + unset($user['User']['gpgkey']); + // User found in the db, add the user info to the session + $this->Session->renew(); + $this->Session->write(AuthComponent::$sessionKey, $user['User']); + } else { + // User not authenticated correctly + // reset the session information + $this->Session->destroy(); + throw new ForbiddenException('The authentication key provided cannot be used for syncing.'); + } + unset($user); } - unset($user); } } else if(!$this->Session->read(AuthComponent::$sessionKey)) { // load authentication plugins from Configure::read('Security.auth') @@ -190,7 +194,8 @@ class AppController extends Controller { public $userRole = null; - protected function _isJson(){ + protected function _isJson($data=false){ + if ($data) return (json_decode($data) != NULL) ? true : false; return $this->request->header('Accept') === 'application/json'; }