|
|
|
|
|
|
by rohan_
449 days ago
|
|
|
Most don't understand this issue: Auth middleware is used for _routing_ (e.g. if you're not signed-in, you'll be redirected to the sign-in page). This just means a 500 is thrown due to the auth() call returning null on the server. |
|
|
This vulnerability also isn't explicitly about auth: it's about attackers being able to send a colon separated list of middleware to skip. That could affect applications in all kinds of unexpected ways depending on what they are using middleware for and how they designed their application.