[Catalyst] Regarding the Authentication Tutorial

Kay Sindre Bærulfsen berulfsen at gmail.com
Wed Sep 6 08:25:57 CEST 2006

Hi people,


I was reading trough the Authentication Tutorial in the Catalyst
documentation, and found something I believe could be a
security-problem in applications using this approach. I guess you can
look at it as a typo too. :P

In the code for the auto:private it says;

# Allow unauthenticated users to reach the login page
if ($c->request->path =~ /login/) {
    return 1;

This regex will allow unauthentificated users to access restricted
pages and extract information.

If /admin/list/users is protected by the regex above, unauthenticated
users can access /admin/list/users/login, where the regex will match
only the "login" part of the path.

How to fix this? Easy! :) Change the regex from /login/ to /^login/ or
whatever location your login-form is. ('^' matches line start)

Kay Bærulfsen

More information about the Catalyst mailing list