From 3d8ec066f86df2521c45ea9f02df2bde8c3aaf5e Mon Sep 17 00:00:00 2001
From: Matt Janssen <github@mattjanssen.com>
Date: Wed, 28 Oct 2015 13:16:17 -0500
Subject: [PATCH 1/2] File System Security Issue in Custom Auth Article

I hope to address this security concern: If `$token->nonce` is set to [ANY USER INPUT] and later we run `file_put_contents($token->nonce, time())` are we allowing hackers to destroy any www-writable file in the system?

I did notice that `$nonce` is run through `base64_decode($nonce)` later in the article, implying nonce needs to be a Base64 string. Could this Regex be updated to only accept a Base64 string `[a-zA-Z+/]+={0,2}` for the nonce?

At the same time, Base64 allows `/` characters, so `file_put_contents()` would fail in those cases, so even this change, while secure, seems flawed. Replace [+/] with [-_]?
---
 cookbook/security/custom_authentication_provider.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cookbook/security/custom_authentication_provider.rst b/cookbook/security/custom_authentication_provider.rst
index 0b3d3d8d7d5..2b215dd60e7 100644
--- a/cookbook/security/custom_authentication_provider.rst
+++ b/cookbook/security/custom_authentication_provider.rst
@@ -134,7 +134,7 @@ set an authenticated token in the token storage if successful.
         {
             $request = $event->getRequest();
 
-            $wsseRegex = '/UsernameToken Username="([^"]+)", PasswordDigest="([^"]+)", Nonce="([^"]+)", Created="([^"]+)"/';
+            $wsseRegex = '/UsernameToken Username="([^"]+)", PasswordDigest="([^"]+)", Nonce="([a-zA-Z+/]+={0,2})", Created="([^"]+)"/';
             if (!$request->headers->has('x-wsse') || 1 !== preg_match($wsseRegex, $request->headers->get('x-wsse'), $matches)) {
                 return;
             }

From 77aa8de9099810032f30b6725b6fc9e1165b63c9 Mon Sep 17 00:00:00 2001
From: Matt Janssen <github@mattjanssen.com>
Date: Wed, 28 Oct 2015 13:23:55 -0500
Subject: [PATCH 2/2] Added digits to Base64 string

---
 cookbook/security/custom_authentication_provider.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cookbook/security/custom_authentication_provider.rst b/cookbook/security/custom_authentication_provider.rst
index 2b215dd60e7..d6f50008049 100644
--- a/cookbook/security/custom_authentication_provider.rst
+++ b/cookbook/security/custom_authentication_provider.rst
@@ -134,7 +134,7 @@ set an authenticated token in the token storage if successful.
         {
             $request = $event->getRequest();
 
-            $wsseRegex = '/UsernameToken Username="([^"]+)", PasswordDigest="([^"]+)", Nonce="([a-zA-Z+/]+={0,2})", Created="([^"]+)"/';
+            $wsseRegex = '/UsernameToken Username="([^"]+)", PasswordDigest="([^"]+)", Nonce="([a-zA-Z0-9+/]+={0,2})", Created="([^"]+)"/';
             if (!$request->headers->has('x-wsse') || 1 !== preg_match($wsseRegex, $request->headers->get('x-wsse'), $matches)) {
                 return;
             }