Menu

#53 Improve auth in publish.mozilla.php

open
nobody
None
5
2012-12-21
2004-11-03
Anonymous
No

The upload script publish.mozilla.php does not respect
the $auth_method var in config.inc.php. If
$auth_method is not internal then publish.mozilla.php
should not be testing for that $auth_internal_password
and $auth_internal_username matches the users
authentication.

Sorry if the web form mangled the patch

--- publish.mozilla.php.DIST 2004-11-03
13:08:05.000000000 -0800
+++ publish.mozilla.php 2004-11-03
13:19:29.000000000 -0800
@@ -78,18 +78,20 @@
return;
}
*/
-if (!isset($_SERVER['PHP_AUTH_USER'])) {
+if ( ('internal' == $auth_method) &&
!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You must be authorized!';
exit;
} else {
- // logmsg($_SERVER['PHP_AUTH_PW'] . '|' .
$_SERVER['PHP_AUTH_USER']);
- if ($_SERVER['PHP_AUTH_USER'] !=
$auth_internal_username || $_SERVER['PHP_AUTH_PW'] !=
$auth_internal_password) {
- header('WWW-Authenticate: Basic realm="My Realm"');
- header('HTTP/1.0 401 Unauthorized');
- echo 'You must be authorized!';
- exit;
+ if ( 'internal' == $auth_method) {
+ // logmsg($_SERVER['PHP_AUTH_PW'] . '|' .
$_SERVER['PHP_AUTH_USER']);
+ if ($_SERVER['PHP_AUTH_USER'] !=
$auth_internal_username || $_SERVER['PHP_AUTH_PW'] !=
$auth_internal_password) {
+ header('WWW-Authenticate: Basic realm="My
Realm"');
+ header('HTTP/1.0 401 Unauthorized');
+ echo 'You must be authorized!';
+ exit;
+ }
}
// only allow publishing if explicitly enabled
if(PHPICALENDAR_PUBLISHING == 1) {

Discussion

  • Chad Little

    Chad Little - 2004-11-03

    Logged In: YES
    user_id=585637

    please attach the patch, yes the web mangles it. thanks!!!

     
  • Jo Rhett

    Jo Rhett - 2006-09-16

    Logged In: YES
    user_id=104595

    I disagree with this. I don't allow internal auth for
    phpicalendar, but I use it for publishing. We may need
    separate options for this.

     
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.