Parse authorization headers for a valid MISP auth key, fixes #478

- Keeps parsing until a valid auth key is found

AUTHORS

@@ -12,6 +12,7 @@ Contributions from:  (incomplete list, contact us to add your name)
 Copyright Christophe Vandeplas 
 Copyright Belgian Defence
 Copyright NATO / NCIRC
+Copyright Andras Iklody
 
 This code is licensed under the GNU AFFERO GENERAL PUBLIC LICENSE version 3.
 

VERSION.json

@@ -1 +1 @@
-{"major":2, "minor":3, "hotfix":62}
+{"major":2, "minor":3, "hotfix":63}

app/Controller/AppController.php

@@ -87,10 +87,18 @@ class AppController extends Controller {
 			// disable CSRF for REST access
 			if (array_key_exists('Security', $this->components))
 				$this->Security->csrfCheck = false;
-
 			// Authenticate user with authkey in Authorization HTTP header
 			if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
-				$user = $this->checkAuthUser($_SERVER['HTTP_AUTHORIZATION']);
+				$authentication = explode(',', $_SERVER['HTTP_AUTHORIZATION']);
+				$user = false;
+				foreach ($authentication as $auth_key) {
+					if (preg_match('/^[a-zA-Z0-9]{40}$/', trim($auth_key))) {
+						$user = $this->checkAuthUser(trim($auth_key));
+						continue;
+					}
+				}
+				debug($user);
+				throw new Exception();
 				if ($user) {
 				    // User found in the db, add the user info to the session
 				    $this->Session->renew();