From 2532a7342581fa8eded8d33e98849b13498c34ca Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Fri, 10 Apr 2020 15:53:19 -0700 Subject: [PATCH] Don't throw errors if bad data is sent in the header --- .../Middleware/Api/Daemon/DaemonAuthenticate.php | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/app/Http/Middleware/Api/Daemon/DaemonAuthenticate.php b/app/Http/Middleware/Api/Daemon/DaemonAuthenticate.php index 686d7a0fc..8735c8d26 100644 --- a/app/Http/Middleware/Api/Daemon/DaemonAuthenticate.php +++ b/app/Http/Middleware/Api/Daemon/DaemonAuthenticate.php @@ -8,6 +8,7 @@ use Illuminate\Contracts\Encryption\Encrypter; use Symfony\Component\HttpKernel\Exception\HttpException; use Pterodactyl\Contracts\Repository\NodeRepositoryInterface; use Pterodactyl\Exceptions\Repository\RecordNotFoundException; +use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; class DaemonAuthenticate @@ -64,15 +65,21 @@ class DaemonAuthenticate ); } - [$identifier, $token] = explode('.', $bearer); + $parts = explode('.', $bearer); + // Ensure that all of the correct parts are provided in the header. + if (count($parts) !== 2 || empty($parts[0]) || empty($parts[1])) { + throw new BadRequestHttpException( + 'The Authorization headed provided was not in a valid format.', + ); + } try { /** @var \Pterodactyl\Models\Node $node */ $node = $this->repository->findFirstWhere([ - 'daemon_token_id' => $identifier, + 'daemon_token_id' => $parts[0], ]); - if (hash_equals((string) $this->encrypter->decrypt($node->daemon_token), $token)) { + if (hash_equals((string) $this->encrypter->decrypt($node->daemon_token), $parts[1])) { $request->attributes->set('node', $node); return $next($request);