#53 Improve auth in publish.mozilla.php
The upload script publish.mozilla.php does not respect
the $auth_method var in config.inc.php. If
$auth_method is not internal then publish.mozilla.php
should not be testing for that $auth_internal_password
and $auth_internal_username matches the users
authentication.
Sorry if the web form mangled the patch
--- publish.mozilla.php.DIST 2004-11-03
13:08:05.000000000 -0800
+++ publish.mozilla.php 2004-11-03
13:19:29.000000000 -0800
@@ -78,18 +78,20 @@
return;
}
*/
-if (!isset($_SERVER['PHP_AUTH_USER'])) {
+if ( ('internal' == $auth_method) &&
!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You must be authorized!';
exit;
} else {
- // logmsg($_SERVER['PHP_AUTH_PW'] . '|' .
$_SERVER['PHP_AUTH_USER']);
- if ($_SERVER['PHP_AUTH_USER'] !=
$auth_internal_username || $_SERVER['PHP_AUTH_PW'] !=
$auth_internal_password) {
- header('WWW-Authenticate: Basic realm="My Realm"');
- header('HTTP/1.0 401 Unauthorized');
- echo 'You must be authorized!';
- exit;
+ if ( 'internal' == $auth_method) {
+ // logmsg($_SERVER['PHP_AUTH_PW'] . '|' .
$_SERVER['PHP_AUTH_USER']);
+ if ($_SERVER['PHP_AUTH_USER'] !=
$auth_internal_username || $_SERVER['PHP_AUTH_PW'] !=
$auth_internal_password) {
+ header('WWW-Authenticate: Basic realm="My
Realm"');
+ header('HTTP/1.0 401 Unauthorized');
+ echo 'You must be authorized!';
+ exit;
+ }
}
// only allow publishing if explicitly enabled
if(PHPICALENDAR_PUBLISHING == 1) {
Logged In: YES
user_id=585637
please attach the patch, yes the web mangles it. thanks!!!
Logged In: YES
user_id=104595
I disagree with this. I don't allow internal auth for
phpicalendar, but I use it for publishing. We may need
separate options for this.