Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File System Security Issue in Custom Auth Article (finished) #6234

Merged
merged 2 commits into from
Feb 7, 2016

Conversation

wouterj
Copy link
Member

@wouterj wouterj commented Feb 6, 2016

Finishes #5846

Original description:

Q A
Doc fix? yes
New docs? no
Applies to all
Fixed tickets #5845

I hope to address this security concern: If $token->nonce is set to [ANY USER INPUT] and later we run file_put_contents($token->nonce, time()) are we allowing hackers to destroy any www-writable file in the system?

I did notice that $nonce is run through base64_decode($nonce) later in the article, implying nonce needs to be a Base64 string. Could this Regex be updated to only accept a Base64 string [a-zA-Z+/]+={0,2} for the nonce?

At the same time, Base64 allows / characters, so file_put_contents() would fail in those cases, so even this change, while secure, seems flawed. Replace [+/] with [-_]?

mattjanssen and others added 2 commits February 6, 2016 17:09
I hope to address this security concern: If `$token->nonce` is set to [ANY USER INPUT] and later we run `file_put_contents($token->nonce, time())` are we allowing hackers to destroy any www-writable file in the system?

I did notice that `$nonce` is run through `base64_decode($nonce)` later in the article, implying nonce needs to be a Base64 string. Could this Regex be updated to only accept a Base64 string `[a-zA-Z+/]+={0,2}` for the nonce?

At the same time, Base64 allows `/` characters, so `file_put_contents()` would fail in those cases, so even this change, while secure, seems flawed. Replace [+/] with [-_]?
@mattjanssen
Copy link
Contributor

👍

@xabbuh
Copy link
Member

xabbuh commented Feb 7, 2016

Thank you @mattjanssen.

@xabbuh xabbuh merged commit 673fd71 into symfony:2.3 Feb 7, 2016
xabbuh added a commit that referenced this pull request Feb 7, 2016
…ed) (mattjanssen, WouterJ)

This PR was merged into the 2.3 branch.

Discussion
----------

File System Security Issue in Custom Auth Article (finished)

Finishes #5846

Original description:

 > | Q             | A
 > | ------------- | ---
 > | Doc fix?      | yes
 > | New docs?     | no
 > | Applies to    | all
 > | Fixed tickets | #5845
 >
 > I hope to address this security concern: If `$token->nonce` is set to [ANY USER INPUT] and later we run `file_put_contents($token->nonce, time())` are we allowing hackers to destroy any www-writable file in the system?
 >
 > I did notice that `$nonce` is run through `base64_decode($nonce)` later in the article, implying nonce needs to be a Base64 string. Could this Regex be updated to only accept a Base64 string `[a-zA-Z+/]+={0,2}` for the nonce?
 >
 > At the same time, Base64 allows `/` characters, so `file_put_contents()` would fail in those cases, so even this change, while secure, seems flawed. Replace [+/] with [-_]?

Commits
-------

673fd71 Hash nonce when using as file name
5f125f3 File System Security Issue in Custom Auth Article
@wouterj wouterj deleted the mattjanssen-patch-2 branch February 7, 2016 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants