From b05eb73b624322a2e677caf0c5827ad49794beb2 Mon Sep 17 00:00:00 2001 From: MartinBeranek Date: Mon, 20 Apr 2026 15:50:06 +0200 Subject: [PATCH 1/3] Input validation before authorization check in ApiPresenter --- CHANGELOG.md | 3 +++ src/Presenters/ApiPresenter.php | 11 ++++++----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f06437..9777f29 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,9 @@ Updates should follow the [Keep a CHANGELOG](http://keepachangelog.com/) princip ## [Unreleased][unreleased] +### Fixed +- Input validation before authorization check in ApiPresenter (causes issues with some authorization handlers that need to check input params) + ## 3.4.0 ### Added diff --git a/src/Presenters/ApiPresenter.php b/src/Presenters/ApiPresenter.php index 53ea901..68b1a5b 100644 --- a/src/Presenters/ApiPresenter.php +++ b/src/Presenters/ApiPresenter.php @@ -85,6 +85,12 @@ public function run(Request $request): IResponse } $paramsProcessor = new ParamsProcessor($handler->params()); + + $authResponse = $this->checkAuth($authorization, $paramsProcessor->getValues()); + if ($authResponse !== null) { + return $authResponse; + } + if ($paramsProcessor->isError()) { $response = $this->errorHandler->handleInputParams($paramsProcessor->getErrors()); $this->response->setCode($response->getCode()); @@ -93,11 +99,6 @@ public function run(Request $request): IResponse $params = $paramsProcessor->getValues(); - $authResponse = $this->checkAuth($authorization, $params); - if ($authResponse !== null) { - return $authResponse; - } - try { $response = $handler->handle($params); $code = $response->getCode(); From dba54318733224019128ad9736aa5cc46db6558a Mon Sep 17 00:00:00 2001 From: MartinBeranek Date: Fri, 8 May 2026 10:02:46 +0200 Subject: [PATCH 2/3] get params once --- src/Presenters/ApiPresenter.php | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/Presenters/ApiPresenter.php b/src/Presenters/ApiPresenter.php index 68b1a5b..801da4e 100644 --- a/src/Presenters/ApiPresenter.php +++ b/src/Presenters/ApiPresenter.php @@ -85,8 +85,9 @@ public function run(Request $request): IResponse } $paramsProcessor = new ParamsProcessor($handler->params()); + $params = $paramsProcessor->isError() ? [] : $paramsProcessor->getValues(); - $authResponse = $this->checkAuth($authorization, $paramsProcessor->getValues()); + $authResponse = $this->checkAuth($authorization, $params); if ($authResponse !== null) { return $authResponse; } @@ -97,8 +98,6 @@ public function run(Request $request): IResponse return $response; } - $params = $paramsProcessor->getValues(); - try { $response = $handler->handle($params); $code = $response->getCode(); @@ -146,7 +145,7 @@ private function getApi(Request $request): Api $request->getMethod() ?? '', $request->getParameter('version'), $request->getParameter('package'), - $request->getParameter('apiAction') + $request->getParameter('apiAction'), ); } @@ -217,10 +216,10 @@ private function logRequest(Request $request, ApiLoggerInterface $logger, int $c $code, $request->getMethod() ?? '', $requestHeaders, - (string) filter_input(INPUT_SERVER, 'REQUEST_URI'), + (string)filter_input(INPUT_SERVER, 'REQUEST_URI'), $ipDetector->getRequestIp(), - (string) filter_input(INPUT_SERVER, 'HTTP_USER_AGENT'), - (int) ($elapsed * self::TO_SECONDS) + (string)filter_input(INPUT_SERVER, 'HTTP_USER_AGENT'), + (int)($elapsed * self::TO_SECONDS), ); } From 488954720f9eed400f6d76de7e8446f9a2cdd8f8 Mon Sep 17 00:00:00 2001 From: MartinBeranek Date: Fri, 8 May 2026 10:05:13 +0200 Subject: [PATCH 3/3] changelog --- CHANGELOG.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 975b9e0..51304fa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,8 +5,6 @@ Updates should follow the [Keep a CHANGELOG](http://keepachangelog.com/) princip ## [Unreleased][unreleased] ### Fixed - Don't overwrite global preflight handler if it is set and enableGlobalPreflight is called without parameter - -### Fixed - Input validation before authorization check in ApiPresenter (causes issues with some authorization handlers that need to check input params) ## 3.4.0