Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2443571 by larowlan, Berdir: Port SA-CONTRIB-2015-052

8.0.x
Nathaniel Catchpole 2015-03-04 15:08:31 +00:00
parent 2bf5dc11da
commit fa29e0b5ca
4 changed files with 56 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
core/modules/basic_auth/basic_auth.services.yml
View File

@ -4,3 +4,7 @@ services:
arguments: ['@config.factory', '@user.auth', '@flood', '@entity.manager']
tags:
- { name: authentication_provider, priority: 100 }
basic_auth.page_cache_request_policy.disallow_basic_auth_requests:
class: Drupal\basic_auth\PageCache\DisallowBasicAuthRequests
tags:
- { name: page_cache_request_policy }

33
core/modules/basic_auth/src/PageCache/DisallowBasicAuthRequests.php Normal file
View File

@ -0,0 +1,33 @@
<?php
/**
* @file
* Contains \Drupal\basic_auth\PageCache\DisallowBasicAuthRequests.
*/
namespace Drupal\basic_auth\PageCache;
use Drupal\Core\PageCache\RequestPolicyInterface;
use Symfony\Component\HttpFoundation\Request;
/**
* Cache policy for pages served from basic auth.
*
* This policy disallows caching of requests that use basic_auth for security
* reasons. Otherwise responses for authenticated requests can get into the
* page cache and could be delivered to unprivileged users.
*/
class DisallowBasicAuthRequests implements RequestPolicyInterface {
/**
* {@inheritdoc}
*/
public function check(Request $request) {
$username = $request->headers->get('PHP_AUTH_USER');
$password = $request->headers->get('PHP_AUTH_PW');
if (isset($username) && isset($password)) {
return self::DENY;
}
}
}

17
core/modules/basic_auth/src/Tests/Authentication/BasicAuthTest.php
View File

@ -29,6 +29,12 @@ class BasicAuthTest extends WebTestBase {
* Test http basic authentication.
*/
public function testBasicAuth() {
// Enable page caching.
$config = $this->config('system.performance');
$config->set('cache.page.use_internal', 1);
$config->set('cache.page.max_age', 300);
$config->save();
$account = $this->drupalCreateUser();
$url = Url::fromRoute('router_test.11');
@ -36,6 +42,8 @@ class BasicAuthTest extends WebTestBase {
$this->assertText($account->getUsername(), 'Account name is displayed.');
$this->assertResponse('200', 'HTTP response is OK');
$this->curlClose();
$this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
$this->assertIdentical(strpos($this->drupalGetHeader('Cache-Control'), 'public'), FALSE, 'Cache-Control is not set to public');
$this->basicAuthGet($url, $account->getUsername(), $this->randomMachineName());
$this->assertNoText($account->getUsername(), 'Bad basic auth credentials do not authenticate the user.');
@ -56,6 +64,15 @@ class BasicAuthTest extends WebTestBase {
$this->assertNoLink('Log out', 'User is not logged in');
$this->assertResponse('403', 'No basic authentication for routes not explicitly defining authentication providers.');
$this->curlClose();
// Ensure that pages already in the page cache aren't returned from page
// cache if basic auth credentials are provided.
$url = Url::fromRoute('router_test.10');
$this->drupalGet($url);
$this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'MISS');
$this->basicAuthGet($url, $account->getUsername(), $account->pass_raw);
$this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
$this->assertIdentical(strpos($this->drupalGetHeader('Cache-Control'), 'public'), FALSE, 'No page cache response when requesting a cached page with basic auth credentials.');
}
/**

2
core/modules/system/tests/modules/router_test_directory/router_test.routing.yml
View File

@ -48,6 +48,8 @@ router_test.8:
router_test.10:
path: '/router_test/test10'
options:
_auth: [ 'basic_auth', 'cookie' ]
defaults:
_controller: '\Drupal\router_test\TestContent::test1'
requirements: