Issues

ZF-9985: Zend_Amf authentication does not handle Zend_Amf_MessageHeaders as it should

Description

When using authentication in an AMF request, Zend_Amf_Server fails to recognise the appropriate headers.

In Zend_Amf_Server on line 496 it starts to handle the Authentication. First, it gets the AMF headers, and then checks if there is a array key called 'Credentials' (Zend_Amf_Constants::CREDENTIALS_HEADER). If there is, then it checks if there is a userid property:


$handleAuth = false;
if ($this->_auth) {
    $headers = $request->getAmfHeaders();
    if (isset($headers[Zend_Amf_Constants::CREDENTIALS_HEADER]) &&
        isset($headers[Zend_Amf_Constants::CREDENTIALS_HEADER]->userid)) {
        $handleAuth = true;
    }
}

But, there is no array key called Credentials, because all headers are simply pushed in the headers array (see Zend_Amf_Request line 121:


// Iterate through the AMF envelope header
while ($headerCount--) {
    $this->_headers[] = $this->readHeader();
}

When outputting the headers ($request->getAmfHeaders(), line 498, Zend_Amf_Server) this is what you get:


Array
(
    [0] => Zend_Amf_Value_MessageHeader Object
        (
            [name] => Credentials
            [mustRead] => 1
            [length] => 43
            [data] => stdClass Object
                (
                    [userid] => *snip*
                    [password] => *snip*
                )

        )
)

But according to the code, it looks like it expects something like this:


Array (
    [Credentials] => Object
        (
           [userid] => *snip*
           [password] => *snip*
        )
)

Proposed solution: Loop through the headers, and check if there is a Zend_Amf_Value_MessageHeader which has a $name property that is called 'Credentials', and then check if the Zend_Amf_Value_MessageHeader $data property has as $userid property.

The problem is in version 1.10.0 but I also checked the latest version (1.10.5), but it does not seem changed since 1.10.0.

Comments

using 1.11.8 and still have this problem, any solution?

I believe you can find a solution at http://eschrade.com/page/…