From fafed17c605e1c30850337ccc2f2c0e05ac65e75 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Sat, 19 Jul 2014 02:06:37 +0200 Subject: Deduplicate user/password extraction from alternative HTTP headers. --- lib/base.php | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/lib/base.php b/lib/base.php index 840d9044711..95e3a30cdee 100644 --- a/lib/base.php +++ b/lib/base.php @@ -477,22 +477,20 @@ class OC { $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['HTTP_XAUTHORIZATION']; } - //set http auth headers for apache+php-cgi work around - if (isset($_SERVER['HTTP_AUTHORIZATION']) - && preg_match('/Basic\s+(.*)$/i', $_SERVER['HTTP_AUTHORIZATION'], $matches) - ) { - list($name, $password) = explode(':', base64_decode($matches[1]), 2); - $_SERVER['PHP_AUTH_USER'] = strip_tags($name); - $_SERVER['PHP_AUTH_PW'] = strip_tags($password); - } - - //set http auth headers for apache+php-cgi work around if variable gets renamed by apache - if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) - && preg_match('/Basic\s+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches) - ) { - list($name, $password) = explode(':', base64_decode($matches[1]), 2); - $_SERVER['PHP_AUTH_USER'] = strip_tags($name); - $_SERVER['PHP_AUTH_PW'] = strip_tags($password); + // Extract PHP_AUTH_USER/PHP_AUTH_PW from other headers if necessary. + $httpAuthHeaderServerVars = array( + 'HTTP_AUTHORIZATION', // apache+php-cgi work around + 'REDIRECT_HTTP_AUTHORIZATION', // apache+php-cgi alternative + ); + foreach ($httpAuthHeaderServerVars as $httpAuthHeaderServerVar) { + if (isset($_SERVER[$httpAuthHeaderServerVar]) + && preg_match('/Basic\s+(.*)$/i', $_SERVER[$httpAuthHeaderServerVar], $matches) + ) { + list($name, $password) = explode(':', base64_decode($matches[1]), 2); + $_SERVER['PHP_AUTH_USER'] = strip_tags($name); + $_SERVER['PHP_AUTH_PW'] = strip_tags($password); + break; + } } self::initPaths(); -- cgit v1.2.3 From bfd59bddf416dd43a77c67202ae1d57ab5a95b4a Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Sat, 19 Jul 2014 02:16:28 +0200 Subject: Extract Auth Header logic into new function handleAuthHeaders(). --- lib/base.php | 42 ++++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/lib/base.php b/lib/base.php index 95e3a30cdee..24381611001 100644 --- a/lib/base.php +++ b/lib/base.php @@ -472,26 +472,7 @@ class OC { @ini_set('post_max_size', '10G'); @ini_set('file_uploads', '50'); - //copy http auth headers for apache+php-fcgid work around - if (isset($_SERVER['HTTP_XAUTHORIZATION']) && !isset($_SERVER['HTTP_AUTHORIZATION'])) { - $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['HTTP_XAUTHORIZATION']; - } - - // Extract PHP_AUTH_USER/PHP_AUTH_PW from other headers if necessary. - $httpAuthHeaderServerVars = array( - 'HTTP_AUTHORIZATION', // apache+php-cgi work around - 'REDIRECT_HTTP_AUTHORIZATION', // apache+php-cgi alternative - ); - foreach ($httpAuthHeaderServerVars as $httpAuthHeaderServerVar) { - if (isset($_SERVER[$httpAuthHeaderServerVar]) - && preg_match('/Basic\s+(.*)$/i', $_SERVER[$httpAuthHeaderServerVar], $matches) - ) { - list($name, $password) = explode(':', base64_decode($matches[1]), 2); - $_SERVER['PHP_AUTH_USER'] = strip_tags($name); - $_SERVER['PHP_AUTH_PW'] = strip_tags($password); - break; - } - } + self::handleAuthHeaders(); self::initPaths(); if (OC_Config::getValue('instanceid', false)) { @@ -812,6 +793,27 @@ class OC { return false; } + protected static function handleAuthHeaders() { + //copy http auth headers for apache+php-fcgid work around + if (isset($_SERVER['HTTP_XAUTHORIZATION']) && !isset($_SERVER['HTTP_AUTHORIZATION'])) { + $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['HTTP_XAUTHORIZATION']; + } + + // Extract PHP_AUTH_USER/PHP_AUTH_PW from other headers if necessary. + $vars = array( + 'HTTP_AUTHORIZATION', // apache+php-cgi work around + 'REDIRECT_HTTP_AUTHORIZATION', // apache+php-cgi alternative + ); + foreach ($vars as $var) { + if (isset($_SERVER[$var]) && preg_match('/Basic\s+(.*)$/i', $_SERVER[$var], $matches)) { + list($name, $password) = explode(':', base64_decode($matches[1]), 2); + $_SERVER['PHP_AUTH_USER'] = strip_tags($name); + $_SERVER['PHP_AUTH_PW'] = strip_tags($password); + break; + } + } + } + protected static function handleLogin() { OC_App::loadApps(array('prelogin')); $error = array(); -- cgit v1.2.3 From 1c16d012ab34b8965c1b6d558e534a471f40d518 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Sat, 19 Jul 2014 10:17:24 +0200 Subject: Remove uneeded `strip_tags` This `strip_tags` seems to be completely unneeded and will cause problems with passwords containing stripped characters. (e.g. `<` or `>`) Needs https://github.com/owncloud/core/pull/9735 to be merged first. --- lib/base.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/base.php b/lib/base.php index 24381611001..730cee5231d 100644 --- a/lib/base.php +++ b/lib/base.php @@ -807,8 +807,8 @@ class OC { foreach ($vars as $var) { if (isset($_SERVER[$var]) && preg_match('/Basic\s+(.*)$/i', $_SERVER[$var], $matches)) { list($name, $password) = explode(':', base64_decode($matches[1]), 2); - $_SERVER['PHP_AUTH_USER'] = strip_tags($name); - $_SERVER['PHP_AUTH_PW'] = strip_tags($password); + $_SERVER['PHP_AUTH_USER'] = $name; + $_SERVER['PHP_AUTH_PW'] = $password; break; } } -- cgit v1.2.3