[Catalyst] Regarding the Authentication Tutorial
Kay Sindre Bærulfsen
berulfsen at gmail.com
Wed Sep 6 08:25:57 CEST 2006
Hi people,
http://search.cpan.org/~mramberg/Catalyst-Runtime-5.7001/lib/Catalyst/Manual/Tutorial/Authentication.pod
I was reading trough the Authentication Tutorial in the Catalyst
documentation, and found something I believe could be a
security-problem in applications using this approach. I guess you can
look at it as a typo too. :P
In the code for the auto:private it says;
# Allow unauthenticated users to reach the login page
if ($c->request->path =~ /login/) {
return 1;
}
This regex will allow unauthentificated users to access restricted
pages and extract information.
If /admin/list/users is protected by the regex above, unauthenticated
users can access /admin/list/users/login, where the regex will match
only the "login" part of the path.
How to fix this? Easy! :) Change the regex from /login/ to /^login/ or
whatever location your login-form is. ('^' matches line start)
--
Kay Bærulfsen
More information about the Catalyst
mailing list