When an app is configured with request_verification_enabled=True and ssl_check_enabled=False, a form-encoded request containing ssl_check=1 skips Slack signature verification.
RequestVerification._can_skip currently treats any parsed body with ssl_check=1 as safe to bypass, but that check is independent of whether the SslCheck middleware is enabled. If the SSL-check middleware is disabled, the request can continue through the normal middleware/listener pipeline without a valid Slack signature.
Expected behavior: ssl_check=1 should only bypass normal dispatch when the SSL-check middleware handles the request. If SSL-check handling is disabled, request verification should still require a valid Slack signature.
This affects both sync and async request verification paths.
When an app is configured with
request_verification_enabled=Trueandssl_check_enabled=False, a form-encoded request containingssl_check=1skips Slack signature verification.RequestVerification._can_skipcurrently treats any parsed body withssl_check=1as safe to bypass, but that check is independent of whether theSslCheckmiddleware is enabled. If the SSL-check middleware is disabled, the request can continue through the normal middleware/listener pipeline without a valid Slack signature.Expected behavior:
ssl_check=1should only bypass normal dispatch when the SSL-check middleware handles the request. If SSL-check handling is disabled, request verification should still require a valid Slack signature.This affects both sync and async request verification paths.