Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[HttpKernel] Fix UriSigner::check when _hash is not at the end of the uri #12574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 10 commits into from
Closed

[HttpKernel] Fix UriSigner::check when _hash is not at the end of the uri #12574

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
6168de1
Fix UriSigner::check when _hash is not at the end of the uri
nyroDev Nov 25, 2014
6853d5f
Remove tab space into spaces
nyroDev Nov 25, 2014
1137c84
Use empty intead of isset
nyroDev Nov 25, 2014
116c6df
Remove empty spaces at end of lines
nyroDev Nov 25, 2014
0093235
Remove empty spaces at end of lines
nyroDev Nov 25, 2014
7cd4ec8
Change sign function and check function in order to order parameters …
nyroDev Nov 26, 2014
969f45f
Remove unusuful whitespace
nyroDev Nov 26, 2014
8a46d7b
Remove unusuful whitespace
nyroDev Nov 26, 2014
8aac229
Naturally sort paramaters to follow amazon AWS ordering rule
nyroDev Nov 27, 2014
bc34dc5
Remove SORT_NATURAL as it's seems to be the default order anyway and …
nyroDev Nov 27, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions 2 src/Symfony/Component/HttpKernel/Tests/UriSignerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,5 +33,7 @@ public function testCheck()

$this->assertTrue($signer->check($signer->sign('http://example.com/foo')));
$this->assertTrue($signer->check($signer->sign('http://example.com/foo?foo=bar')));

$this->assertTrue($signer->sign('http://example.com/foo?foo=bar&bar=foo') === $signer->sign('http://example.com/foo?bar=foo&foo=bar'));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

using assertSame would be better

}
}
41 changes: 39 additions & 2 deletions 41 src/Symfony/Component/HttpKernel/UriSigner.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,15 @@ public function __construct($secret)
*/
public function sign($uri)
{
$url = parse_url($uri);
if (isset($url['query'])) {
parse_str($url['query'], $params);
} else {
$params = array();
}

$uri = $this->buildUrl($url, $params);

return $uri.(false === (strpos($uri, '?')) ? '?' : '&').'_hash='.$this->computeHash($uri);
}

Expand All @@ -58,15 +67,43 @@ public function sign($uri)
*/
public function check($uri)
{
if (!preg_match('/^(.*)(?:\?|&)_hash=(.+?)$/', $uri, $matches)) {
$url = parse_url($uri);
if (isset($url['query'])) {
parse_str($url['query'], $params);
} else {
$params = array();
}

if (empty($params['_hash'])) {
return false;
}

return $this->computeHash($matches[1]) === $matches[2];
$hash = urlencode($params['_hash']);
unset($params['_hash']);

return $this->computeHash($this->buildUrl($url, $params)) === $hash;
}

private function computeHash($uri)
{
return urlencode(base64_encode(hash_hmac('sha256', $uri, $this->secret, true)));
}

private function buildUrl(array $url, array $params = array())
{
ksort($params);
$url['query'] = http_build_query($params);

$scheme = isset($url['scheme']) ? $url['scheme'].'://' : '';
$host = isset($url['host']) ? $url['host'] : '';
$port = isset($url['port']) ? ':'.$url['port'] : '';
$user = isset($url['user']) ? $url['user'] : '';
$pass = isset($url['pass']) ? ':'.$url['pass'] : '';
$pass = ($user || $pass) ? "$pass@" : '';
$path = isset($url['path']) ? $url['path'] : '';
$query = isset($url['query']) && $url['query'] ? '?'.$url['query'] : '';
$fragment = isset($url['fragment']) ? '#'.$url['fragment'] : '';

return $scheme.$user.$pass.$host.$port.$path.$query.$fragment;
}
}
Morty Proxy This is a proxified and sanitized view of the page, visit original site.