Parse authorization headers for a valid MISP auth key, fixes #478

- Keeps parsing until a valid auth key is found
2015-05-04 19:01:12 +02:00 · 2015-05-04 19:01:12 +02:00 · d9f4e996f2
parent e6ac4b0667
commit d9f4e996f2
3 changed files with 12 additions and 3 deletions
--- a/1
+++ b/1
@ -12,6 +12,7 @@ Contributions from:  (incomplete list, contact us to add your name)
 Copyright Christophe Vandeplas 
 Copyright Belgian Defence
 Copyright NATO / NCIRC
+Copyright Andras Iklody

 This code is licensed under the GNU AFFERO GENERAL PUBLIC LICENSE version 3.

--- a/VERSION.json
+++ b/VERSION.json
@ -1 +1 @@
-{"major":2, "minor":3, "hotfix":62}
+{"major":2, "minor":3, "hotfix":63}
--- a/app/Controller/AppController.php
+++ b/app/Controller/AppController.php
@ -87,10 +87,18 @@ class AppController extends Controller {
 			// disable CSRF for REST access
 			if (array_key_exists('Security', $this->components))
 				$this->Security->csrfCheck = false;
-
 			// Authenticate user with authkey in Authorization HTTP header
 			if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
-				$user = $this->checkAuthUser($_SERVER['HTTP_AUTHORIZATION']);
+				$authentication = explode(',', $_SERVER['HTTP_AUTHORIZATION']);
+				$user = false;
+				foreach ($authentication as $auth_key) {
+					if (preg_match('/^[a-zA-Z0-9]{40}$/', trim($auth_key))) {
+						$user = $this->checkAuthUser(trim($auth_key));
+						continue;
+					}
+				}
+				debug($user);
+				throw new Exception();
 				if ($user) {
 				    // User found in the db, add the user info to the session
 				    $this->Session->renew();