Issue #3437524: Empty parameter logic missing and allow parameter check is wrong

076b29aa · Carsten Logemann · 4b1c6017 · 076b29aa · 076b29aa
Commit 076b29aa authored 1 year ago by Carsten Logemann
--- a/README.md
+++ b/README.md
@@ -59,13 +59,14 @@ $settings['firewall']['rules']['public.example.com'] = [
    'path' => '*',
    'exit' => FALSE,
    'mode' => 'allow',
-    'methods' => ['GET' => ['*']]
+    // Allow GET with not parameters sent (empty query).
+    'methods' => ['GET' => []]
  ],
  [
    'path' => '/form/contact',
    'mode' => 'allow',
    'methods' => [
-      'GET' => ['*'],
+      'GET' => [],
      // POST parameters used by default contact form config of webform module.
      'POST' => ['name', 'email', 'subject', 'message', 'op', 'form_id', 'form_build_id'],
     ],

--- a/src/FirewallHttpKernelMiddleware.php
+++ b/src/FirewallHttpKernelMiddleware.php
@@ -110,7 +110,19 @@ class FirewallHttpKernelMiddleware implements HttpKernelInterface {
            $this_method_param_match = FALSE;
            $this_methods = $rule['methods'] ?? [];
            $this_keys = $this_methods[$active_method] ?? [];
-            if ($this_keys != []) {
+            if ($this_keys == []) {
+              if ($this_mode == 'deny') {
+                // No need to check Parameter.
+                $this_method_param_match = TRUE;
+              }
+              else {
+                // Allow GET with empty query parameter.
+                if ($params_sent == []) {
+                  $this_method_param_match = TRUE;
+                }
+              }
+            }
+            else {
              if ($this_mode == 'allow' && $params_sent == []) {
                $this_method_param_match = TRUE;
              }
@@ -132,29 +144,32 @@ class FirewallHttpKernelMiddleware implements HttpKernelInterface {
                      if (!\in_array($params_sent_key, $this_keys)) {
                        // True if one key is not in (allow) list.
                        $this_key_match = TRUE;
-                        continue;
+                        break;
                      }
                    }
                  }
-                  if ($this_key_match) {
+
+                  if ($this_key_match == TRUE && $this_mode == 'deny') {
+                    $this_method_param_match = TRUE;
+                  }
+                  if ($this_key_match == FALSE && $this_mode == 'allow') {
                    $this_method_param_match = TRUE;
                  }
                }
              }
-
-              if ($this_method_param_match) {
-                if ($this_redirect) {
-                  $redirect_url = $this_redirect_base . $this_redirect_path;
-                }
-                if ($this_mode == 'allow') {
-                  $deny = FALSE;
-                }
-                else {
-                  $deny = TRUE;
-                }
-                if ($this_exit) {
-                  break;
-                }
+            }
+            if ($this_method_param_match) {
+              if ($this_redirect) {
+                $redirect_url = $this_redirect_base . $this_redirect_path;
+              }
+              if ($this_mode == 'allow') {
+                $deny = FALSE;
+              }
+              else {
+                $deny = TRUE;
+              }
+              if ($this_exit) {
+                break;
              }
            }
          }