From: Andreas Fischer Date: Sat, 19 Jul 2014 00:06:37 +0000 (+0200) Subject: Deduplicate user/password extraction from alternative HTTP headers. X-Git-Tag: v7.0.1RC1~4^2~2 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=0e732982ae73ce37a824b10879ea9d2aae1dd73f;p=nextcloud-server.git Deduplicate user/password extraction from alternative HTTP headers. --- diff --git a/lib/base.php b/lib/base.php index 840d9044711..95e3a30cdee 100644 --- a/lib/base.php +++ b/lib/base.php @@ -477,22 +477,20 @@ class OC { $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['HTTP_XAUTHORIZATION']; } - //set http auth headers for apache+php-cgi work around - if (isset($_SERVER['HTTP_AUTHORIZATION']) - && preg_match('/Basic\s+(.*)$/i', $_SERVER['HTTP_AUTHORIZATION'], $matches) - ) { - list($name, $password) = explode(':', base64_decode($matches[1]), 2); - $_SERVER['PHP_AUTH_USER'] = strip_tags($name); - $_SERVER['PHP_AUTH_PW'] = strip_tags($password); - } - - //set http auth headers for apache+php-cgi work around if variable gets renamed by apache - if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) - && preg_match('/Basic\s+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches) - ) { - list($name, $password) = explode(':', base64_decode($matches[1]), 2); - $_SERVER['PHP_AUTH_USER'] = strip_tags($name); - $_SERVER['PHP_AUTH_PW'] = strip_tags($password); + // Extract PHP_AUTH_USER/PHP_AUTH_PW from other headers if necessary. + $httpAuthHeaderServerVars = array( + 'HTTP_AUTHORIZATION', // apache+php-cgi work around + 'REDIRECT_HTTP_AUTHORIZATION', // apache+php-cgi alternative + ); + foreach ($httpAuthHeaderServerVars as $httpAuthHeaderServerVar) { + if (isset($_SERVER[$httpAuthHeaderServerVar]) + && preg_match('/Basic\s+(.*)$/i', $_SERVER[$httpAuthHeaderServerVar], $matches) + ) { + list($name, $password) = explode(':', base64_decode($matches[1]), 2); + $_SERVER['PHP_AUTH_USER'] = strip_tags($name); + $_SERVER['PHP_AUTH_PW'] = strip_tags($password); + break; + } } self::initPaths();