From 6b3476409aa2efd8d4e2f41c2d039ee97fe7915a Mon Sep 17 00:00:00 2001 From: Michael Date: Wed, 16 Jun 2021 19:39:51 +0000 Subject: [PATCH] Check for REDIRECT_REMOTE_USER as well --- src/Module/OAuth/Token.php | 10 ++++++++-- src/Security/BasicAuth.php | 2 +- src/Security/OAuth.php | 5 +++++ 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/Module/OAuth/Token.php b/src/Module/OAuth/Token.php index 715cabeaf..1a2fff525 100644 --- a/src/Module/OAuth/Token.php +++ b/src/Module/OAuth/Token.php @@ -46,8 +46,14 @@ class Token extends BaseApi ]); // AndStatus transmits the client data in the AUTHORIZATION header field, see https://github.com/andstatus/andstatus/issues/530 - if (empty($request['client_id']) && !empty($_SERVER['HTTP_AUTHORIZATION']) && (substr($_SERVER['HTTP_AUTHORIZATION'], 0, 6) == 'Basic ')) { - $datapair = explode(':', base64_decode(trim(substr($_SERVER['HTTP_AUTHORIZATION'], 6)))); + $authorization = $_SERVER['HTTP_AUTHORIZATION'] ?? ''; + if (empty($authorization)) { + // workaround for HTTP-auth in CGI mode + $authorization = $_SERVER['REDIRECT_REMOTE_USER'] ?? ''; + } + + if (empty($request['client_id']) && !empty($authorization) && (substr($authorization, 0, 6) == 'Basic ')) { + $datapair = explode(':', base64_decode(trim(substr($authorization, 6)))); if (count($datapair) == 2) { $request['client_id'] = $datapair[0]; $request['client_secret'] = $datapair[1]; diff --git a/src/Security/BasicAuth.php b/src/Security/BasicAuth.php index b76073e8b..070c6500d 100644 --- a/src/Security/BasicAuth.php +++ b/src/Security/BasicAuth.php @@ -124,7 +124,7 @@ class BasicAuth // workaround for HTTP-auth in CGI mode if (!empty($_SERVER['REDIRECT_REMOTE_USER'])) { $userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6)); - if (strlen($userpass)) { + if (!empty($userpass) && strpos($userpass, ':')) { list($name, $password) = explode(':', $userpass); $_SERVER['PHP_AUTH_USER'] = $name; $_SERVER['PHP_AUTH_PW'] = $password; diff --git a/src/Security/OAuth.php b/src/Security/OAuth.php index 7210df8c2..2f5dd3964 100644 --- a/src/Security/OAuth.php +++ b/src/Security/OAuth.php @@ -83,6 +83,11 @@ class OAuth { $authorization = $_SERVER['HTTP_AUTHORIZATION'] ?? ''; + if (empty($authorization)) { + // workaround for HTTP-auth in CGI mode + $authorization = $_SERVER['REDIRECT_REMOTE_USER'] ?? ''; + } + if (substr($authorization, 0, 7) != 'Bearer ') { return []; }