patch #1930057 [auth] colon in password prevents HTTP login on CGI/IIS
This commit is contained in:
@@ -67,6 +67,8 @@ danbarry
|
||||
- bug #1918531 [compatibility] Navigation isn't w3.org valid
|
||||
thanks to Michael Keck - mkkeck
|
||||
- bug #1926357 [data] BIT defaults displayed incorrectly (todo: export?)
|
||||
- patch #1930057 [auth] colon in password prevents HTTP login on CGI/IIS,
|
||||
thanks to Jürgen Wind - windkiel
|
||||
|
||||
2.11.5.1 (2008-03-29)
|
||||
- bug #1909711 [security] Sensitive data in session files
|
||||
|
@@ -136,10 +136,16 @@ function PMA_auth_check()
|
||||
}
|
||||
|
||||
// Decode possibly encoded information (used by IIS/CGI/FastCGI)
|
||||
// (do not use explode() because a user might have a colon in his password
|
||||
if (strcmp(substr($PHP_AUTH_USER, 0, 6), 'Basic ') == 0) {
|
||||
$usr_pass = base64_decode(substr($PHP_AUTH_USER, 6));
|
||||
if (!empty($usr_pass) && strpos($usr_pass, ':') !== false) {
|
||||
list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(':', $usr_pass);
|
||||
if (! empty($usr_pass)) {
|
||||
$colon = strpos($usr_pass, ':');
|
||||
if ($colon) {
|
||||
$PHP_AUTH_USER = substr($usr_pass, 0, $colon);
|
||||
$PHP_AUTH_PW = substr($usr_pass, $colon + 1);
|
||||
}
|
||||
unset($colon);
|
||||
}
|
||||
unset($usr_pass);
|
||||
}
|
||||
|
Reference in New Issue
Block a user