Merge branch 'release/3.4.0'

getgrav · Feb 1, 2021 · b38cb12 · b38cb12
2 parents 16b882f + 92acb1f
commit b38cb12
Show file tree

Hide file tree

Showing 20 changed files with 650 additions and 225 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,12 @@
+# v3.4.0
+## 01/31/2021
+
+1. [](#new)
+   * Prevent information leak on every ACL protected page by always setting Cache-Control [#264](https://github.com/getgrav/grav-plugin-login/issues/264))
+1. [](#improved)
+   * Allow browser caching for all login/profile pages
+   * Composer update 
+
 # v3.3.8
 ## 12/11/2020
 

diff --git a/blueprints.yaml b/blueprints.yaml
@@ -1,7 +1,7 @@
 name: Login
 slug: login
 type: plugin
-version: 3.3.8
+version: 3.4.0
 testing: false
 description: Enables user authentication and login screen.
 icon: sign-in

diff --git a/classes/Login.php b/classes/Login.php
@@ -612,14 +612,14 @@ public function getRateLimiter($context, $maxCount = null, $interval = null)
     public function isUserAuthorizedForPage(UserInterface $user, PageInterface $page, $config = null)
     {
         $header = $page->header();
-        $rules = isset($header->access) ? (array)$header->access : [];
+        $rules = (array)($header->access ?? []);
 
         if (!$rules && $config !== null && $config->get('parent_acl')) {
             // If page has no ACL rules, use its parent's rules
             $parent = $page->parent();
             while (!$rules and $parent) {
                 $header = $parent->header();
-                $rules = isset($header->access) ? (array)$header->access : [];
+                $rules = (array)($header->access ?? []);
                 $parent = $parent->parent();
             }
         }
@@ -629,6 +629,27 @@ public function isUserAuthorizedForPage(UserInterface $user, PageInterface $page
             return true;
         }
 
+        // All protected pages have a private cache-control. This includes pages which are for guests only.
+        $cacheControl = $page->cacheControl();
+        if (!$cacheControl) {
+            $cacheControl = 'private, no-cache, must-revalidate';
+        } else {
+            // The response is intended for a single user only and must not be stored by a shared cache.
+            $cacheControl = str_replace('public', 'private', $cacheControl);
+            if (strpos($cacheControl, 'private') === false) {
+                $cacheControl = 'private, ' . $cacheControl;
+            }
+            // The cache will send the request to the origin server for validation before releasing a cached copy.
+            if (strpos($cacheControl, 'no-cache') === false) {
+                $cacheControl .= ', no-cache';
+            }
+            // The cache must verify the status of the stale resources before using the copy and expired ones should not be used.
+            if (strpos($cacheControl, 'must-revalidate') === false) {
+                $cacheControl .= ', must-revalidate';
+            }
+        }
+        $page->cacheControl($cacheControl);
+
         // Deny access if user has not completed 2FA challenge.
         if ($user->authenticated && !$user->authorized) {
             return false;

diff --git a/composer.json b/composer.json
@@ -1,5 +1,5 @@
 {
-    "name": "grav-plugin-login",
+    "name": "getgrav/grav-plugin-login",
     "description": "Enables user authentication and login screen.",
     "keywords": ["login", "authentication", "admin", "security"],
     "homepage": "https://github.com/getgrav/grav-plugin-login",

diff --git a/composer.lock b/composer.lock
diff --git a/login.php b/login.php
@@ -339,7 +339,10 @@ public function addLoginPage()
         }
 
         // Login page may not have the correct Cache-Control header set, force no-store for the proxies.
-        $page->expires(0);
+        $cacheControl = $page->cacheControl();
+        if (!$cacheControl) {
+            $page->cacheControl('private, no-cache, must-revalidate');
+        }
     }
 
     /**
@@ -363,7 +366,10 @@ public function addForgotPage()
         }
 
         // Forgot page may not have the correct Cache-Control header set, force no-store for the proxies.
-        $page->expires(0);
+        $cacheControl = $page->cacheControl();
+        if (!$cacheControl) {
+            $page->cacheControl('private, no-cache, must-revalidate');
+        }
     }
 
     /**
@@ -396,7 +402,10 @@ public function addResetPage()
         }
 
         // Reset page may not have the correct Cache-Control header set, force no-store for the proxies.
-        $page->expires(0);
+        $cacheControl = $page->cacheControl();
+        if (!$cacheControl) {
+            $page->cacheControl('private, no-cache, must-revalidate');
+        }
     }
 
     /**
@@ -420,7 +429,10 @@ public function addRegisterPage()
         }
 
         // Register page may not have the correct Cache-Control header set, force no-store for the proxies.
-        $page->expires(0);
+        $cacheControl = $page->cacheControl();
+        if (!$cacheControl) {
+            $page->cacheControl('private, no-cache, must-revalidate');
+        }
     }
 
     /**
@@ -523,7 +535,10 @@ public function addProfilePage()
         }
 
         // Profile page may not have the correct Cache-Control header set, force no-store for the proxies.
-        $page->expires(0);
+        $cacheControl = $page->cacheControl();
+        if (!$cacheControl) {
+            $page->cacheControl('private, no-cache, must-revalidate');
+        }
 
         $this->storeReferrerPage();
     }
@@ -549,7 +564,10 @@ public function setUnauthorizedPage()
         }
 
         // Unauthorized page may not have the correct Cache-Control header set, force no-store for the proxies.
-        $page->expires(0);
+        $cacheControl = $page->cacheControl();
+        if (!$cacheControl) {
+            $page->cacheControl('private, no-cache, must-revalidate');
+        }
 
         unset($this->grav['page']);
         $this->grav['page'] = $page;
@@ -668,7 +686,10 @@ public function authorizePage()
             }
 
             // Login page may not have the correct Cache-Control header set, force no-store for the proxies.
-            $login_page->expires(0);
+            $cacheControl = $page->cacheControl();
+            if (!$cacheControl) {
+                $page->cacheControl('private, no-cache, must-revalidate');
+            }
 
             $this->authenticated = false;
             unset($this->grav['page']);

diff --git a/pages/forgot.md b/pages/forgot.md
@@ -1,6 +1,6 @@
 ---
 title: Forgot password
-expires: 0
+cache_control: private, no-cache, must-revalidate
 
 login_redirect_here: false
 

diff --git a/pages/login.md b/pages/login.md
@@ -1,6 +1,6 @@
 ---
 title: Login
-expires: 0
+cache_control: private, no-cache, must-revalidate
 
 login_redirect_here: false
 

diff --git a/pages/profile.md b/pages/profile.md
@@ -1,6 +1,6 @@
 ---
 title: Profile
-expires: 0
+cache_control: private, no-cache, must-revalidate
 access:
     site.login: true
 

diff --git a/pages/register.md b/pages/register.md
@@ -1,6 +1,6 @@
 ---
 login_redirect_here: false
-expires: 0
+cache_control: private, no-cache, must-revalidate
 
 form:
 

diff --git a/pages/reset.md b/pages/reset.md
@@ -1,6 +1,6 @@
 ---
 title: Reset password
-expires: 0
+cache_control: private, no-cache, must-revalidate
 
 login_redirect_here: false
 

diff --git a/pages/unauthorized.md b/pages/unauthorized.md
@@ -1,6 +1,6 @@
 ---
 title: Unauthorized
-expires: 0
+cache_control: private, no-cache, must-revalidate
 ---
 
 # You don't have access to this page...
diff --git a/vendor/composer/ClassLoader.php b/vendor/composer/ClassLoader.php
@@ -37,8 +37,8 @@
  *
  * @author Fabien Potencier <[email protected]>
  * @author Jordi Boggiano <[email protected]>
- * @see    http://www.php-fig.org/psr/psr-0/
- * @see    http://www.php-fig.org/psr/psr-4/
+ * @see    https://www.php-fig.org/psr/psr-0/
+ * @see    https://www.php-fig.org/psr/psr-4/
  */
 class ClassLoader
 {
@@ -60,7 +60,7 @@ class ClassLoader
     public function getPrefixes()
     {
         if (!empty($this->prefixesPsr0)) {
-            return call_user_func_array('array_merge', $this->prefixesPsr0);
+            return call_user_func_array('array_merge', array_values($this->prefixesPsr0));
         }
 
         return array();
@@ -279,7 +279,7 @@ public function isClassMapAuthoritative()
      */
     public function setApcuPrefix($apcuPrefix)
     {
-        $this->apcuPrefix = function_exists('apcu_fetch') && ini_get('apc.enabled') ? $apcuPrefix : null;
+        $this->apcuPrefix = function_exists('apcu_fetch') && filter_var(ini_get('apc.enabled'), FILTER_VALIDATE_BOOLEAN) ? $apcuPrefix : null;
     }
 
     /**
@@ -377,7 +377,7 @@ private function findFileWithExtension($class, $ext)
             $subPath = $class;
             while (false !== $lastPos = strrpos($subPath, '\\')) {
                 $subPath = substr($subPath, 0, $lastPos);
-                $search = $subPath.'\\';
+                $search = $subPath . '\\';
                 if (isset($this->prefixDirsPsr4[$search])) {
                     $pathEnd = DIRECTORY_SEPARATOR . substr($logicalPathPsr4, $lastPos + 1);
                     foreach ($this->prefixDirsPsr4[$search] as $dir) {