Documentation

UrlSigner
in package

FinalYes

This class is entirely based on Symfony\Component\HttpKernel\UriSigner.

(c) Fabien Potencier fabien@symfony.com - MIT License.

Tags
author

Javier Eguiluz javier.eguiluz@gmail.com

Table of Contents

Properties

$kernelSecret  : string

Methods

__construct()  : mixed
check()  : bool
Checks that a URL contains a valid signature.
sign()  : string
Signs a URL adding a query parameter with a hash generated with the values of some of the URL query parameters.
buildUrl()  : string
computeHash()  : string
getQueryParamsToSign()  : array<string|int, mixed>
Instead of signing the entire URL, including all its query parameters, sign only a few parameters that can be used to attack a backend by:.

Properties

Methods

__construct()

public __construct(string $kernelSecret) : mixed
Parameters
$kernelSecret : string

check()

Checks that a URL contains a valid signature.

public check(string $url) : bool
Parameters
$url : string
Return values
bool

sign()

Signs a URL adding a query parameter with a hash generated with the values of some of the URL query parameters.

public sign(string $url) : string
Parameters
$url : string
Return values
string

buildUrl()

private buildUrl(array<string|int, mixed> $urlParts[, array<string|int, mixed> $queryParams = [] ]) : string
Parameters
$urlParts : array<string|int, mixed>
$queryParams : array<string|int, mixed> = []
Return values
string

computeHash()

private computeHash(array<string|int, mixed> $queryParameters) : string
Parameters
$queryParameters : array<string|int, mixed>
Return values
string

getQueryParamsToSign()

Instead of signing the entire URL, including all its query parameters, sign only a few parameters that can be used to attack a backend by:.

private getQueryParamsToSign(array<string|int, mixed> $queryParams) : array<string|int, mixed>
  • Enumerating all entities of certain type (EA::ENTITY_ID)
    • Accessing all application entities (EA::CRUD_CONTROLLER_FQCN)
    • Accessing any CRUD controller method (EA::CRUD_ACTION)
    • Accessing any application route (EA::ROUTE_NAME)
    • Meddling with the parameters of any application route (EA::ROUTE_PARAMS)

The rest of query parameters are not relevant for the signature (EA::PAGE, EA::SORT, etc.) or are dynamically set by the user (EA::QUERY, EA::FILTERS, etc.) so they can't be included in a signature calculated before providing that data.

Parameters
$queryParams : array<string|int, mixed>
Return values
array<string|int, mixed> 

        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results