From d9f4e996f254b7d94012fb7433c9f9327f58866b Mon Sep 17 00:00:00 2001 From: iglocska Date: Mon, 4 May 2015 19:01:12 +0200 Subject: [PATCH] Parse authorization headers for a valid MISP auth key, fixes #478 - Keeps parsing until a valid auth key is found --- AUTHORS | 1 + VERSION.json | 2 +- app/Controller/AppController.php | 12 ++++++++++-- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/AUTHORS b/AUTHORS index c0a4f0eff..b2528f1d2 100644 --- a/AUTHORS +++ b/AUTHORS @@ -12,6 +12,7 @@ Contributions from: (incomplete list, contact us to add your name) Copyright Christophe Vandeplas Copyright Belgian Defence Copyright NATO / NCIRC +Copyright Andras Iklody This code is licensed under the GNU AFFERO GENERAL PUBLIC LICENSE version 3. diff --git a/VERSION.json b/VERSION.json index 4698e65fc..b3ea3fe9c 100644 --- a/VERSION.json +++ b/VERSION.json @@ -1 +1 @@ -{"major":2, "minor":3, "hotfix":62} +{"major":2, "minor":3, "hotfix":63} diff --git a/app/Controller/AppController.php b/app/Controller/AppController.php index b04b77d52..c0b43fb84 100755 --- a/app/Controller/AppController.php +++ b/app/Controller/AppController.php @@ -87,10 +87,18 @@ class AppController extends Controller { // disable CSRF for REST access if (array_key_exists('Security', $this->components)) $this->Security->csrfCheck = false; - // Authenticate user with authkey in Authorization HTTP header if (!empty($_SERVER['HTTP_AUTHORIZATION'])) { - $user = $this->checkAuthUser($_SERVER['HTTP_AUTHORIZATION']); + $authentication = explode(',', $_SERVER['HTTP_AUTHORIZATION']); + $user = false; + foreach ($authentication as $auth_key) { + if (preg_match('/^[a-zA-Z0-9]{40}$/', trim($auth_key))) { + $user = $this->checkAuthUser(trim($auth_key)); + continue; + } + } + debug($user); + throw new Exception(); if ($user) { // User found in the db, add the user info to the session $this->Session->renew();