t11n
Reputation: 46
Access Control seems to be ignored when route is not found in Symfony
We have the following security settings for our symfony3 project:
firewalls:
myfirewall:
pattern: ^/myapi
stateless: true
http_basic: ~
anonymous: false
access_control:
- { path: ^/myapi, ips: ['192.168.0.155'], roles: ROLE_USER }
- { path: ^/myapi, roles: ROLE_NO_ACCESS }
Besides that there is a in memory provider. This works fine when routes are hit. A call to /myapi/resource/123 is protected. But unfortunately, /myapi/res is not. A request to this URI results in a 404.
This way the bad guys are able to determine whether a resources exists or not.
Does anyone know why this happens/what is wrong? I am a little bit clueless.
Thanks!
Upvotes: 1
Views: 263
Answers (1)
t11n
Reputation: 46
Hmm, seems like Fabien did it :-/ https://github.com/symfony/symfony/issues/8414
Although truly not a that big security issue, this does not give us the freedom to design our APIs the way we want.
Upvotes: 1
Related Questions
- Access Control in Domain Driven Design
- Role-based access control (RBAC) vs. Claims-based access control (CBAC) in ASP.NET MVC
- How to get current route in Symfony 2?
- Symfony access control
- app.user is not accessible from unsecured area
- Symfony - Security / routing setup to enable password protected user pages
- Symfony IP Access Control Configuration Not Working
- Symfony access control forbids user with correct role