diff options
author | Thomas Citharel <tcit@tcit.fr> | 2015-07-28 15:41:21 +0200 |
---|---|---|
committer | Thomas Citharel <tcit@tcit.fr> | 2015-07-28 15:41:21 +0200 |
commit | a506f5b3481c00949db7bf72903f272a6b8c2954 (patch) | |
tree | 26f386eb3472cf51652378aed5a078aaba175f2c | |
parent | 2098509cb2ea986816e2acd5685c749dc9f02571 (diff) | |
download | wallabag-a506f5b3481c00949db7bf72903f272a6b8c2954.tar.gz wallabag-a506f5b3481c00949db7bf72903f272a6b8c2954.tar.zst wallabag-a506f5b3481c00949db7bf72903f272a6b8c2954.zip |
fix security bug with PHP_AUTH_USER
-rwxr-xr-x | inc/poche/Poche.class.php | 5 | ||||
-rwxr-xr-x | inc/poche/Routing.class.php | 9 |
2 files changed, 1 insertions, 13 deletions
diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php index ea196ce2..9014f455 100755 --- a/inc/poche/Poche.class.php +++ b/inc/poche/Poche.class.php | |||
@@ -448,7 +448,7 @@ class Poche | |||
448 | $themes = $this->tpl->getInstalledThemes(); | 448 | $themes = $this->tpl->getInstalledThemes(); |
449 | $languages = $this->language->getInstalledLanguages(); | 449 | $languages = $this->language->getInstalledLanguages(); |
450 | $token = $this->user->getConfigValue('token'); | 450 | $token = $this->user->getConfigValue('token'); |
451 | $http_auth = (isset($_SERVER['PHP_AUTH_USER']) || isset($_SERVER['REMOTE_USER'])) ? true : false; | 451 | $http_auth = isset($_SERVER['REMOTE_USER']); |
452 | $only_user = ($this->store->listUsers() > 1) ? false : true; | 452 | $only_user = ($this->store->listUsers() > 1) ? false : true; |
453 | $https = substr(Tools::getPocheUrl(), 0, 5) == 'https'; | 453 | $https = substr(Tools::getPocheUrl(), 0, 5) == 'https'; |
454 | $tpl_vars = array( | 454 | $tpl_vars = array( |
@@ -655,9 +655,6 @@ class Poche | |||
655 | */ | 655 | */ |
656 | private function credentials() | 656 | private function credentials() |
657 | { | 657 | { |
658 | if (isset($_SERVER['PHP_AUTH_USER'])) { | ||
659 | return array($_SERVER['PHP_AUTH_USER'], 'php_auth', true); | ||
660 | } | ||
661 | if (!empty($_POST['login']) && !empty($_POST['password'])) { | 658 | if (!empty($_POST['login']) && !empty($_POST['password'])) { |
662 | return array($_POST['login'], $_POST['password'], false); | 659 | return array($_POST['login'], $_POST['password'], false); |
663 | } | 660 | } |
diff --git a/inc/poche/Routing.class.php b/inc/poche/Routing.class.php index 33a81435..fb37a838 100755 --- a/inc/poche/Routing.class.php +++ b/inc/poche/Routing.class.php | |||
@@ -75,15 +75,6 @@ class Routing | |||
75 | } elseif (ALLOW_REGISTER && isset($_GET['register'])){ | 75 | } elseif (ALLOW_REGISTER && isset($_GET['register'])){ |
76 | $this->wallabag->createNewUser($_POST['newusername'], $_POST['password4newuser'], $_POST['newuseremail']); | 76 | $this->wallabag->createNewUser($_POST['newusername'], $_POST['password4newuser'], $_POST['newuseremail']); |
77 | Tools::redirect(); | 77 | Tools::redirect(); |
78 | } elseif(isset($_SERVER['PHP_AUTH_USER'])) { | ||
79 | if($this->wallabag->store->userExists($_SERVER['PHP_AUTH_USER'])) { | ||
80 | $this->wallabag->login($this->referer); | ||
81 | } else { | ||
82 | $this->wallabag->messages->add('e', _('login failed: user doesn\'t exist')); | ||
83 | Tools::logm('user doesn\'t exist'); | ||
84 | $tplFile = Tools::getTplFile('login'); | ||
85 | $tplVars['http_auth'] = 1; | ||
86 | } | ||
87 | } elseif(isset($_SERVER['REMOTE_USER'])) { | 78 | } elseif(isset($_SERVER['REMOTE_USER'])) { |
88 | if($this->wallabag->store->userExists($_SERVER['REMOTE_USER'])) { | 79 | if($this->wallabag->store->userExists($_SERVER['REMOTE_USER'])) { |
89 | $this->wallabag->login($this->referer); | 80 | $this->wallabag->login($this->referer); |