ZF-3092: The code allows "downgrade" of the authorization schemes.

Issue Type:
Bug
Created:
2008-04-10T10:35:25.000+0000
Last Updated:
2008-05-07T16:43:08.000+0000
Status:
Resolved
Fix version(s):
    Reporter:
    Slavey Karadzhov (slaff)
    Assignee:
    Darby Felton (darby)
    Tags:
    • Zend_Auth
    Related issues:
    Attachments:

    Description

    Zend/Auth/Adapter/Http.php

    A check is missing if the suggested from the client authentication scheme is one of the schemes that the server accepts. The current code allows the client to "downgrade" the authentication to Basic scheme, even though you may explicitly allowed only Digest scheme (via $config['accept_schemes']).

    Line: 393

    
if (!in_array($clientScheme, $this->_supportedSchemes)) {
    $this->_response->setHttpResponseCode(400);
    return new Zend_Auth_Result(
        Zend_Auth_Result::FAILURE_UNCATEGORIZED,
        array(),
        array('Client requested an unsupported authentication scheme')
    );
}

    Should be:

    
if (!in_array($clientScheme, $this->_supportedSchemes)) {
    $this->_response->setHttpResponseCode(400);
    return new Zend_Auth_Result(
        Zend_Auth_Result::FAILURE_UNCATEGORIZED,
        array(),
        array('Client requested an unsupported authentication scheme')
    );
}

if (!in_array($clientScheme, $this->_acceptSchemes)) {
    // challenge again the client
    return $this->_challengeClient();
}

    Comments

    Posted by Wil Sinclair (wil) on 2008-04-18T13:29:29.000+0000

    Please evaluate and categorize as necessary.

    Posted by julien PAULI (doctorrock83) on 2008-05-07T16:13:57.000+0000

    Resolved in trunk at r9403 A Zend_Auth_Result is returned with a Zend_Auth_Result::FAILURE_UNCATEGORIZED code.

    Posted by julien PAULI (doctorrock83) on 2008-05-07T16:43:08.000+0000

    Wrong implementation, yours (Slavey Karadzhov) is the right one, see r9404 , sorry