YakumoLabs/nextcloud-user_external
4
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #142 from bjoernv/master

Browse Source 
Setting authorization header globally in basicauth.php is dangerous (fix for #141)
This commit is contained in:
Lutz Freitag
2020-04-23 11:04:38 +00:00
committed by GitHub
parent 132e8b6c55 133d3405d0
commit 85a13f46ff
1 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
lib/basicauth.php
View File

@@ -28,12 +28,13 @@ class OC_User_BasicAuth extends \OCA\user_external\Base {
* Connect without user/name password to make sure * Connect without user/name password to make sure
* URL is indeed authenticating or not... * URL is indeed authenticating or not...
*/ */
stream_context_set_default(array( $context = stream_context_create(array(
'http'=>array( 'http' => array(
'method'=>"GET", 'method' => "GET",
'follow_location' => 0
)) ))
); );
$canary = get_headers($this->authUrl, 1); $canary = get_headers($this->authUrl, 1, $context);
if(!$canary) { if(!$canary) {
OC::$server->getLogger()->error( OC::$server->getLogger()->error(
'ERROR: Not possible to connect to BasicAuth Url: '.$this->authUrl, 'ERROR: Not possible to connect to BasicAuth Url: '.$this->authUrl,
@@ -49,13 +50,14 @@ class OC_User_BasicAuth extends \OCA\user_external\Base {
return false; return false;
} }
stream_context_set_default(array( $context = stream_context_create(array(
'http'=>array( 'http' => array(
'method'=>"GET", 'method' => "GET",
'header' => "authorization: Basic " . base64_encode("$uid:$password") 'header' => "authorization: Basic " . base64_encode("$uid:$password"),
'follow_location' => 0
)) ))
); );
$headers = get_headers($this->authUrl, 1); $headers = get_headers($this->authUrl, 1, $context);
if(!$headers) { if(!$headers) {
OC::$server->getLogger()->error( OC::$server->getLogger()->error(