Subject: | Authentication not strict enough |
While we testing certificate authentication via Catalyst, we noticed that it was possible to log into any user whose realm was set to ‘certificate’ as long as we had a valid certificate. This appears to be due to the fact that Catalyst/Authentication/Credential/Upstream/Headers.pm does not compare the login_username with the CN of the user.
To correct this, we simply added the following line:
return undef if ($c->req->body_parameters->{login_username} ne $c->req->headers->header($self->user_header));
Patch attached
Subject: | 01-Catalyst-Authentication-Credential-Upstream-Headers.patch |
--- Catalyst-Authentication-Credential-Upstream-Headers-0.02.orig/lib/Catalyst/Authentication/Credential/Upstream/Headers.pm 2012-06-21 14:11:12.000000000 -0400
+++ Catalyst-Authentication-Credential-Upstream-Headers-0.02/lib/Catalyst/Authentication/Credential/Upstream/Headers.pm 2016-10-12 17:21:21.800000000 -0400
@@ -54,6 +54,8 @@
my $user = undef;
my $delimiter = $self->role_delimiter;
+ return undef if ($c->req->body_parameters->{login_username} ne $c->req->headers->header($self->user_header));
+
if (my $username = $c->req->headers->header($self->user_header)) {
my @roles = split /\Q$delimiter\E */, $c->req->headers->header($self->role_header) || '';