Merge pull request #396 in ZP/z-push from...

Merge pull request #396 in ZP/z-push from bugfix/ZP-672-options-without-authentication-info to develop * commit 'b53d0252': ZP-672 Also authenticate Option requests. ZP-672 Always require authentication info.

Merge pull request #396 in ZP/z-push from...
Merge pull request #396 in ZP/z-push from bugfix/ZP-672-options-without-authentication-info to develop * commit 'b53d0252': ZP-672 Also authenticate Option requests. ZP-672 Always require authentication info.
d130e572 · Sebastian Kummer · 0b80ab55 · b53d0252 · d130e572
Commit d130e572 authored Nov 21, 2016 by Sebastian Kummer
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 6 deletions

index.php src/index.php +13 -6

No files found.
--- a/src/index.php
+++ b/src/index.php
@@ -51,9 +51,15 @@ include_once(ZPUSH_CONFIG);
                sprintf("cmd='%s' devType='%s' devId='%s' getUser='%s' from='%s' version='%s' method='%s'",
                        Request::GetCommand(), Request::GetDeviceType(), Request::GetDeviceID(), Request::GetGETUser(), Request::GetRemoteAddr(), @constant('ZPUSH_VERSION'), Request::GetMethod() ));

+        // always request the authorization header
+        if (! Request::HasAuthenticationInfo() || !Request::GetGETUser())
+            throw new AuthenticationRequiredException("Access denied. Please send authorisation information");
+
        // Stop here if this is an OPTIONS request
-        if (Request::IsMethodOPTIONS())
+        if (Request::IsMethodOPTIONS()) {
+            RequestProcessor::Authenticate();
            throw new NoPostRequestException("Options request", NoPostRequestException::OPTIONS_REQUEST);
+        }

        ZPush::CheckAdvancedConfig();

@@ -67,10 +73,6 @@ include_once(ZPUSH_CONFIG);
        // Load the backend
        $backend = ZPush::GetBackend();

-        // always request the authorization header
-        if (! Request::HasAuthenticationInfo() || !Request::GetGETUser())
-            throw new AuthenticationRequiredException("Access denied. Please send authorisation information");
-
        // check the provisioning information
        if (PROVISIONING === true && Request::IsMethodPOST() && ZPush::CommandNeedsProvisioning(Request::GetCommandCode()) &&
            ((Request::WasPolicyKeySent() && Request::GetPolicyKey() == 0) || ZPush::GetDeviceManager()->ProvisioningRequired(Request::GetPolicyKey())) &&
@@ -180,7 +182,12 @@ include_once(ZPUSH_CONFIG);
        }

        if ($ex instanceof AuthenticationRequiredException) {
-            ZPush::PrintZPushLegal($exclass, sprintf('<pre>%s</pre>',$ex->getMessage()));
+            // Only print ZPush legal message for GET requests because
+            // some devices send unauthorized OPTIONS requests
+            // and don't expect anything in the response body
+            if (Request::IsMethodGET()) {
+                ZPush::PrintZPushLegal($exclass, sprintf('<pre>%s</pre>',$ex->getMessage()));
+            }

            // log the failed login attemt e.g. for fail2ban
            if (defined('LOGAUTHFAIL') && LOGAUTHFAIL != false)