From 0e732982ae73ce37a824b10879ea9d2aae1dd73f Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Sat, 19 Jul 2014 02:06:37 +0200 Subject: [PATCH] Deduplicate user/password extraction from alternative HTTP headers. --- lib/base.php | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/lib/base.php b/lib/base.php index 840d9044711..95e3a30cdee 100644 --- a/lib/base.php +++ b/lib/base.php @@ -477,22 +477,20 @@ class OC { $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['HTTP_XAUTHORIZATION']; } - //set http auth headers for apache+php-cgi work around - if (isset($_SERVER['HTTP_AUTHORIZATION']) - && preg_match('/Basic\s+(.*)$/i', $_SERVER['HTTP_AUTHORIZATION'], $matches) - ) { - list($name, $password) = explode(':', base64_decode($matches[1]), 2); - $_SERVER['PHP_AUTH_USER'] = strip_tags($name); - $_SERVER['PHP_AUTH_PW'] = strip_tags($password); - } - - //set http auth headers for apache+php-cgi work around if variable gets renamed by apache - if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) - && preg_match('/Basic\s+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches) - ) { - list($name, $password) = explode(':', base64_decode($matches[1]), 2); - $_SERVER['PHP_AUTH_USER'] = strip_tags($name); - $_SERVER['PHP_AUTH_PW'] = strip_tags($password); + // Extract PHP_AUTH_USER/PHP_AUTH_PW from other headers if necessary. + $httpAuthHeaderServerVars = array( + 'HTTP_AUTHORIZATION', // apache+php-cgi work around + 'REDIRECT_HTTP_AUTHORIZATION', // apache+php-cgi alternative + ); + foreach ($httpAuthHeaderServerVars as $httpAuthHeaderServerVar) { + if (isset($_SERVER[$httpAuthHeaderServerVar]) + && preg_match('/Basic\s+(.*)$/i', $_SERVER[$httpAuthHeaderServerVar], $matches) + ) { + list($name, $password) = explode(':', base64_decode($matches[1]), 2); + $_SERVER['PHP_AUTH_USER'] = strip_tags($name); + $_SERVER['PHP_AUTH_PW'] = strip_tags($password); + break; + } } self::initPaths(); -- 2.39.5