Fix malformed X-WSSE header vulnerability

Security/Http/Firewall/Listener.php

@@ -39,42 +39,48 @@ public function handle(GetResponseEvent $event)
         $request = $event->getRequest();
 
         //find out if the current request contains any information by which the user might be authenticated
-        if(!$request->headers->has('X-WSSE'))
+        if(!$request->headers->has('X-WSSE')) 
         {
+            //no WSSE header => not authenticated
+            $event->setResponse($this->authenticationEntryPoint->start($request, new AuthenticationException()));
             return;
         }
 
         $ae_message = null;
         $this->wsseHeader = $request->headers->get('X-WSSE');
         $wsseHeaderInfo = $this->parseHeader();
 
-        if($wsseHeaderInfo !== false)
+        if ($wsseHeaderInfo === false) 
         {
-            $token = new Token();
-            $token->setUser($wsseHeaderInfo['Username']);
+            //malformed WSSE header => not authenticated
+            $event->setResponse($this->authenticationEntryPoint->start($request, new AuthenticationException()));
+            return;
+        }
+
+        $token = new Token();
+        $token->setUser($wsseHeaderInfo['Username']);
 
-            $token->setAttribute('digest', $wsseHeaderInfo['PasswordDigest']);
-            $token->setAttribute('nonce', $wsseHeaderInfo['Nonce']);
-            $token->setAttribute('created', $wsseHeaderInfo['Created']);
+        $token->setAttribute('digest', $wsseHeaderInfo['PasswordDigest']);
+        $token->setAttribute('nonce', $wsseHeaderInfo['Nonce']);
+        $token->setAttribute('created', $wsseHeaderInfo['Created']);
 
-            try
+        try
+        {
+            $returnValue = $this->authenticationManager->authenticate($token);
+
+            if($returnValue instanceof TokenInterface)
             {
-                $returnValue = $this->authenticationManager->authenticate($token);
-
-                if($returnValue instanceof TokenInterface)
-                {
-                    return $this->securityContext->setToken($returnValue);
-                }
-                else if($returnValue instanceof Response)
-                {
-                    return $event->setResponse($returnValue);
-                }
+                return $this->securityContext->setToken($returnValue);
             }
-            catch(AuthenticationException $ae)
+            else if($returnValue instanceof Response)
             {
-                $event->setResponse($this->authenticationEntryPoint->start($request, $ae));
+                return $event->setResponse($returnValue);
             }
         }
+        catch(AuthenticationException $ae)
+        {
+            $event->setResponse($this->authenticationEntryPoint->start($request, $ae));
+        }
     }
 
     /**

Tests/Security/Http/Firewall/ListenerTest.php

@@ -6,6 +6,7 @@
 use Escape\WSSEAuthenticationBundle\Security\Core\Authentication\Token\Token;
 
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
 
 class ListenerTest extends \PHPUnit_Framework_TestCase
 {
@@ -79,4 +80,50 @@ public function handleReturnResponse()
         $listener = new Listener($this->securityContext, $this->authenticationManager, $this->authenticationEntryPoint);
         $listener->handle($this->responseEvent);
     }
+
+    /**
+     * @test
+     */
+    public function handleReturnResponseWithNoWSSEHeader()
+    {
+        $token = new Token();
+        $token->setUser('admin');
+        $token->setAttribute('digest', 'admin');
+        $token->setAttribute('nonce', 'admin');
+        $token->setAttribute('created', '2010-12-12 20:00:00');
+        $response = new Response();
+
+        $this->authenticationEntryPoint->expects($this->once())->method('start')
+            ->with($this->request, new AuthenticationException())->will($this->returnValue($response));
+
+        // do not set an 'X-WSSE' request header
+
+        $listener = new Listener($this->securityContext, $this->authenticationManager, $this->authenticationEntryPoint);
+        $listener->handle($this->responseEvent);
+    }
+
+    /**
+     * @test
+     */
+    public function handleReturnResponseWithInvalidWSSEHeader()
+    {
+        $token = new Token();
+        $token->setUser('admin');
+        $token->setAttribute('digest', 'admin');
+        $token->setAttribute('nonce', 'admin');
+        $token->setAttribute('created', '2010-12-12 20:00:00');
+        $response = new Response();
+        $this->authenticationEntryPoint->expects($this->once())->method('start')
+            ->with($this->request, new AuthenticationException())->will($this->returnValue($response));
+
+        // set an invalid 'X-WSSE' header (missing opening quote on Username)   
+
+        $this->request->headers->add(
+                               array('X-WSSE' => 'UsernameToken Username=admin", PasswordDigest="admin", Nonce="admin", Created="2010-12-12 20:00:00"')
+        );
+
+        $listener = new Listener($this->securityContext, $this->authenticationManager, $this->authenticationEntryPoint);
+        $listener->handle($this->responseEvent);
+    }
+
 }