fix security bug with PHP_AUTH_USER

[github/wallabag/wallabag.git] / inc / poche / Poche.class.php

diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php
index 15d83bfe5fffcc6cc7e9749ee739f0adca8712af..9014f455f83e8b2b478bccf2093817f091317929 100755 (executable)
--- a/inc/poche/Poche.class.php
+++ b/inc/poche/Poche.class.php
@@ -448,8 +448,9 @@ class Poche
                 $themes = $this->tpl->getInstalledThemes();
                 $languages = $this->language->getInstalledLanguages();
                 $token = $this->user->getConfigValue('token');
-                $http_auth = (isset($_SERVER['PHP_AUTH_USER']) || isset($_SERVER['REMOTE_USER'])) ? true : false;
+                $http_auth = isset($_SERVER['REMOTE_USER']);
                 $only_user = ($this->store->listUsers() > 1) ? false : true;
+                $https = substr(Tools::getPocheUrl(), 0, 5) == 'https';
                 $tpl_vars = array(
                     'themes' => $themes,
                     'languages' => $languages,
@@ -462,7 +463,8 @@ class Poche
                     'token' => $token,
                     'user_id' => $this->user->getId(),
                     'http_auth' => $http_auth,
-                    'only_user' => $only_user
+                    'only_user' => $only_user,
+                    'https' => $https
                 );
                 Tools::logm('config view');
                 break;
@@ -653,9 +655,6 @@ class Poche
      */
     private function credentials()
     {
-        if (isset($_SERVER['PHP_AUTH_USER'])) {
-            return array($_SERVER['PHP_AUTH_USER'], 'php_auth', true);
-        }
         if (!empty($_POST['login']) && !empty($_POST['password'])) {
             return array($_POST['login'], $_POST['password'], false);
         }