From d63fbfaf87d716c95d888bcd735377a2310861d3 Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Wed, 29 Nov 2023 19:59:43 +0100
Subject: [PATCH] new: [api] added X-MISP-AUTH as an alternative header to
 Authorization, fixes #9418

---
 app/Controller/ApiController.php |  2 +-
 app/Controller/AppController.php | 13 ++++++++++---
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/app/Controller/ApiController.php b/app/Controller/ApiController.php
index c1c1b69d1..8e1d58b1e 100644
--- a/app/Controller/ApiController.php
+++ b/app/Controller/ApiController.php
@@ -268,7 +268,7 @@ misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
 misp.direct_call(relative_path, body)
 ',
                 $baseurl,
-                $request['header']['Authorization'],
+                isset($request['header']['X-MISP-AUTH']) ? $request['header']['X-MISP-AUTH'] : $request['header']['Authorization'],
                 $verifyCert,
                 $relative,
                 (empty($request['body']) ? 'None' : $request['body'])
diff --git a/app/Controller/AppController.php b/app/Controller/AppController.php
index 1d0ad48a9..c0d4aad29 100755
--- a/app/Controller/AppController.php
+++ b/app/Controller/AppController.php
@@ -400,13 +400,20 @@ class AppController extends Controller
         if (Configure::read('Security.allow_unsafe_apikey_named_param') && !empty($this->request->params['named']['apikey'])) {
             $namedParamAuthkey = $this->request->params['named']['apikey'];
         }
+        $apikey = null;
+        if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
+            $apikey = $_SERVER['HTTP_AUTHORIZATION'];
+        }
+        if (!empty($_SERVER['HTTP_X_MISP_AUTH'])) {
+            $apikey = $_SERVER['HTTP_X_MISP_AUTH'];
+        }
         // Authenticate user with authkey in Authorization HTTP header
-        if (!empty($_SERVER['HTTP_AUTHORIZATION']) && strcasecmp(substr($_SERVER['HTTP_AUTHORIZATION'], 0, 5), "Basic") == 0) { // Skip Basic Authorizations
+        if (!empty($apikey) && strcasecmp(substr($apikey, 0, 5), "Basic") == 0) { // Skip Basic Authorizations
             return null;
         }
-        if (!empty($_SERVER['HTTP_AUTHORIZATION']) || !empty($namedParamAuthkey)) {
+        if (!empty($apikey) || !empty($namedParamAuthkey)) {
             $foundMispAuthKey = false;
-            $authentication = explode(',', $_SERVER['HTTP_AUTHORIZATION']);
+            $authentication = explode(',', $apikey);
             if (!empty($namedParamAuthkey)) {
                 $authentication[] = $namedParamAuthkey;
             }