All controller actions now have explicit rules as to how they can be
used. This was one of the points of feedback from the security audit.
The actions have been configured as can be seen in the debug:router output:
------------------------------------------ ---------- -------- ------ -----------------------------------
Name Method Scheme Host Path
------------------------------------------ ---------- -------- ------ -----------------------------------
_wdt ANY ANY ANY /_wdt/{token}
_profiler_home ANY ANY ANY /_profiler/
_profiler_search ANY ANY ANY /_profiler/search
_profiler_search_bar ANY ANY ANY /_profiler/search_bar
_profiler_phpinfo ANY ANY ANY /_profiler/phpinfo
_profiler_search_results ANY ANY ANY /_profiler/{token}/search/results
_profiler_open_file ANY ANY ANY /_profiler/open
_profiler ANY ANY ANY /_profiler/{token}
_profiler_router ANY ANY ANY /_profiler/{token}/router
_profiler_exception ANY ANY ANY /_profiler/{token}/exception
_profiler_exception_css ANY ANY ANY /_profiler/{token}/exception.css
_twig_error_test ANY ANY ANY /_error/{code}.{_format}
app_identity_authentication GET|POST ANY ANY /authentication
app_identity_authentication_status GET ANY ANY /authentication/status
app_identity_authentication_qr GET ANY ANY /authentication/qr
app_cancel GET ANY ANY /cancel
app_info GET ANY ANY /info.html
app_identity_registration GET|POST ANY ANY /registration
app_identity_registration_status GET ANY ANY /registration/status
app_identity_registration_qr GET ANY ANY /registration/qr
app_identity_registration_metadata GET ANY ANY /tiqr.php
app_tiqrappapi_metadata GET ANY ANY /tiqr/tiqr.php
app_identity_registration_authentication POST ANY ANY /tiqr.php
app_tiqrappapi_tiqr POST ANY ANY /tiqr/tiqr.php
gssp_saml_metadata GET ANY ANY /saml/metadata
gssp_saml_sso GET ANY ANY /saml/sso
gssp_saml_sso_return POST|GET ANY ANY /saml/sso_return
sp_demo GET|POST ANY ANY /demo/sp
sp_demo_acs POST ANY ANY /demo/sp/acs
app_identity_registration_qr_dev GET ANY ANY /registration/qr/dev
app_identity_registration_qr_link GET ANY ANY /registration/qr/link
app_identity_authentication_qr_dev GET ANY ANY /authentication/qr/{nameId}
app_identity_authentication_qr_link GET ANY ANY /authentication/qr/{nameId}/link
------------------------------------------ ---------- -------- ------ -----------------------------------
Note that the routes prefixed with an underscore are not available in production mode. They are related to the Symfony profiler which should be disabled in prod mode.
All controller actions now have explicit rules as to how they can be used. This was one of the points of feedback from the security audit.
The actions have been configured as can be seen in the
debug:router
output:Note that the routes prefixed with an underscore are not available in production mode. They are related to the Symfony profiler which should be disabled in prod mode.
See: https://www.pivotaltracker.com/story/show/158356676