File System Security Issue in Custom Auth Article #5845
Comments
xabbuh
added
Security
hasPR
xabbuh
added a commit
that referenced
this issue
Feb 7, 2016
…ed) (mattjanssen, WouterJ) This PR was merged into the 2.3 branch. Discussion ---------- File System Security Issue in Custom Auth Article (finished) Finishes #5846 Original description: > | Q | A > | ------------- | --- > | Doc fix? | yes > | New docs? | no > | Applies to | all > | Fixed tickets | #5845 > > I hope to address this security concern: If `$token->nonce` is set to [ANY USER INPUT] and later we run `file_put_contents($token->nonce, time())` are we allowing hackers to destroy any www-writable file in the system? > > I did notice that `$nonce` is run through `base64_decode($nonce)` later in the article, implying nonce needs to be a Base64 string. Could this Regex be updated to only accept a Base64 string `[a-zA-Z+/]+={0,2}` for the nonce? > > At the same time, Base64 allows `/` characters, so `file_put_contents()` would fail in those cases, so even this change, while secure, seems flawed. Replace [+/] with [-_]? Commits ------- 673fd71 Hash nonce when using as file name 5f125f3 File System Security Issue in Custom Auth Article
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://github.com/symfony/symfony-docs/blob/master/cookbook/security/custom_authentication_provider.rst#the-listener
Security concern: If
$token->nonceis set to [ANY USER INPUT] and later we runfile_put_contents($token->nonce, time())are we allowing hackers to destroy any www-writable file in the system?I did notice that
$nonceis run throughbase64_decode($nonce). Could this Regex be updated to only accept a Base64 string[a-zA-Z+/]+={0,2}for the nonce?The text was updated successfully, but these errors were encountered: