Issues

ZF-3092: The code allows "downgrade" of the authorization schemes.

Issue Type: Bug Created: 2008-04-10T10:35:25.000+0000 Last Updated: 2008-05-07T16:43:08.000+0000 Status: Resolved Fix version(s): Reporter: Slavey Karadzhov (slaff) Assignee: Darby Felton (darby) Tags: - Zend_Auth

Related issues: Attachments:

Description

Zend/Auth/Adapter/Http.php

A check is missing if the suggested from the client authentication scheme is one of the schemes that the server accepts. The current code allows the client to "downgrade" the authentication to Basic scheme, even though you may explicitly allowed only Digest scheme (via $config['accept_schemes']).

Line: 393

<pre class="highlight">
if (!in_array($clientScheme, $this->_supportedSchemes)) {
    $this->_response->setHttpResponseCode(400);
    return new Zend_Auth_Result(
        Zend_Auth_Result::FAILURE_UNCATEGORIZED,
        array(),
        array('Client requested an unsupported authentication scheme')
    );
}

Should be:

<pre class="highlight">
if (!in_array($clientScheme, $this->_supportedSchemes)) {
    $this->_response->setHttpResponseCode(400);
    return new Zend_Auth_Result(
        Zend_Auth_Result::FAILURE_UNCATEGORIZED,
        array(),
        array('Client requested an unsupported authentication scheme')
    );
}

if (!in_array($clientScheme, $this->_acceptSchemes)) {
    // challenge again the client
    return $this->_challengeClient();
}

Comments

Posted by Wil Sinclair (wil) on 2008-04-18T13:29:29.000+0000

Please evaluate and categorize as necessary.

Posted by julien PAULI (doctorrock83) on 2008-05-07T16:13:57.000+0000

Resolved in trunk at r9403 A Zend_Auth_Result is returned with a Zend_Auth_Result::FAILURE_UNCATEGORIZED code.

Posted by julien PAULI (doctorrock83) on 2008-05-07T16:43:08.000+0000

Wrong implementation, yours (Slavey Karadzhov) is the right one, see r9404 , sorry

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts