Issue #2443571 by larowlan, Berdir: Port SA-CONTRIB-2015-052

core/modules/basic_auth/basic_auth.services.yml

@@ -4,3 +4,7 @@ services:
     arguments: ['@config.factory', '@user.auth', '@flood', '@entity.manager']
     tags:
       - { name: authentication_provider, priority: 100 }
+  basic_auth.page_cache_request_policy.disallow_basic_auth_requests:
+      class: Drupal\basic_auth\PageCache\DisallowBasicAuthRequests
+      tags:
+        - { name: page_cache_request_policy }

core/modules/basic_auth/src/PageCache/DisallowBasicAuthRequests.php

+<?php
+
+/**
+ * @file
+ * Contains \Drupal\basic_auth\PageCache\DisallowBasicAuthRequests.
+ */
+
+namespace Drupal\basic_auth\PageCache;
+
+use Drupal\Core\PageCache\RequestPolicyInterface;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Cache policy for pages served from basic auth.
+ *
+ * This policy disallows caching of requests that use basic_auth for security
+ * reasons. Otherwise responses for authenticated requests can get into the
+ * page cache and could be delivered to unprivileged users.
+ */
+class DisallowBasicAuthRequests implements RequestPolicyInterface {
+
+  /**
+   * {@inheritdoc}
+   */
+  public function check(Request $request) {
+    $username = $request->headers->get('PHP_AUTH_USER');
+    $password = $request->headers->get('PHP_AUTH_PW');
+    if (isset($username) && isset($password)) {
+      return self::DENY;
+    }
+  }
+
+}

core/modules/basic_auth/src/Tests/Authentication/BasicAuthTest.php

@@ -29,6 +29,12 @@ class BasicAuthTest extends WebTestBase {
    * Test http basic authentication.
    */
   public function testBasicAuth() {
+    // Enable page caching.
+    $config = $this->config('system.performance');
+    $config->set('cache.page.use_internal', 1);
+    $config->set('cache.page.max_age', 300);
+    $config->save();
+
     $account = $this->drupalCreateUser();
     $url = Url::fromRoute('router_test.11');
 
@@ -36,6 +42,8 @@ public function testBasicAuth() {
     $this->assertText($account->getUsername(), 'Account name is displayed.');
     $this->assertResponse('200', 'HTTP response is OK');
     $this->curlClose();
+    $this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
+    $this->assertIdentical(strpos($this->drupalGetHeader('Cache-Control'), 'public'), FALSE, 'Cache-Control is not set to public');
 
     $this->basicAuthGet($url, $account->getUsername(), $this->randomMachineName());
     $this->assertNoText($account->getUsername(), 'Bad basic auth credentials do not authenticate the user.');
@@ -56,6 +64,15 @@ public function testBasicAuth() {
     $this->assertNoLink('Log out', 'User is not logged in');
     $this->assertResponse('403', 'No basic authentication for routes not explicitly defining authentication providers.');
     $this->curlClose();
+
+    // Ensure that pages already in the page cache aren't returned from page
+    // cache if basic auth credentials are provided.
+    $url = Url::fromRoute('router_test.10');
+    $this->drupalGet($url);
+    $this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'MISS');
+    $this->basicAuthGet($url, $account->getUsername(), $account->pass_raw);
+    $this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
+    $this->assertIdentical(strpos($this->drupalGetHeader('Cache-Control'), 'public'), FALSE, 'No page cache response when requesting a cached page with basic auth credentials.');
   }
 
   /**

core/modules/system/tests/modules/router_test_directory/router_test.routing.yml

@@ -48,6 +48,8 @@ router_test.8:
 
 router_test.10:
   path: '/router_test/test10'
+  options:
+    _auth: [ 'basic_auth', 'cookie' ]
   defaults:
     _controller: '\Drupal\router_test\TestContent::test1'
   requirements: