Skip Menu |

This queue is for tickets about the Catalyst-Authentication-Credential-Upstream-Headers CPAN distribution.

Report information
The Basics
Id: 118514
Status: new
Priority: 0/
Queue: Catalyst-Authentication-Credential-Upstream-Headers

People
Owner: diz [...] cpan.org
Requestors: duncan_j_ferguson [...] yahoo.co.uk
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 0.02
Fixed in: (no value)



Subject: Authentication not strict enough
While we testing certificate authentication via Catalyst, we noticed that it was possible to log into any user whose realm was set to ‘certificate’ as long as we had a valid certificate. This appears to be due to the fact that Catalyst/Authentication/Credential/Upstream/Headers.pm does not compare the login_username with the CN of the user. To correct this, we simply added the following line: return undef if ($c->req->body_parameters->{login_username} ne $c->req->headers->header($self->user_header)); Patch attached
Subject: 01-Catalyst-Authentication-Credential-Upstream-Headers.patch
--- Catalyst-Authentication-Credential-Upstream-Headers-0.02.orig/lib/Catalyst/Authentication/Credential/Upstream/Headers.pm 2012-06-21 14:11:12.000000000 -0400 +++ Catalyst-Authentication-Credential-Upstream-Headers-0.02/lib/Catalyst/Authentication/Credential/Upstream/Headers.pm 2016-10-12 17:21:21.800000000 -0400 @@ -54,6 +54,8 @@ my $user = undef; my $delimiter = $self->role_delimiter; + return undef if ($c->req->body_parameters->{login_username} ne $c->req->headers->header($self->user_header)); + if (my $username = $c->req->headers->header($self->user_header)) { my @roles = split /\Q$delimiter\E */, $c->req->headers->header($self->role_header) || '';