oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-07-27 17:28:39 +00:00
Code Wiki Activity

Merge pull request #1252 from wallabag/securityfix

Browse source 
fix security bug with PHP_AUTH_USER
This commit is contained in:
Thomas Citharel 2015-07-30 12:14:55 +02:00
commit 392a37e56a
2 changed files with 1 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

5
inc/poche/Poche.class.php
View file

@ -448,7 +448,7 @@ class Poche
$themes = $this->tpl->getInstalledThemes();
$languages = $this->language->getInstalledLanguages();
$token = $this->user->getConfigValue('token');
$http_auth = (isset($_SERVER['PHP_AUTH_USER']) || isset($_SERVER['REMOTE_USER'])) ? true : false;
$http_auth = isset($_SERVER['REMOTE_USER']);
$only_user = ($this->store->listUsers() > 1) ? false : true;
$https = substr(Tools::getPocheUrl(), 0, 5) == 'https';
$tpl_vars = array(
@ -655,9 +655,6 @@ class Poche
*/
private function credentials()
{
if (isset($_SERVER['PHP_AUTH_USER'])) {
return array($_SERVER['PHP_AUTH_USER'], 'php_auth', true);
}
if (!empty($_POST['login']) && !empty($_POST['password'])) {
return array($_POST['login'], $_POST['password'], false);
}

9
inc/poche/Routing.class.php
View file

@ -75,15 +75,6 @@ class Routing
} elseif (ALLOW_REGISTER && isset($_GET['register'])){
$this->wallabag->createNewUser($_POST['newusername'], $_POST['password4newuser'], $_POST['newuseremail']);
Tools::redirect();
} elseif(isset($_SERVER['PHP_AUTH_USER'])) {
if($this->wallabag->store->userExists($_SERVER['PHP_AUTH_USER'])) {
$this->wallabag->login($this->referer);
} else {
$this->wallabag->messages->add('e', _('login failed: user doesn\'t exist'));
Tools::logm('user doesn\'t exist');
$tplFile = Tools::getTplFile('login');
$tplVars['http_auth'] = 1;
}
} elseif(isset($_SERVER['REMOTE_USER'])) {
if($this->wallabag->store->userExists($_SERVER['REMOTE_USER'])) {
$this->wallabag->login($this->referer);