From cb692f02675ff287a8f940128842d36ae66e5f8a Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Thu, 3 Apr 2008 12:42:33 +0000 Subject: [PATCH] patch #1930057 [auth] colon in password prevents HTTP login on CGI/IIS --- ChangeLog | 2 ++ libraries/auth/http.auth.lib.php | 10 ++++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index de3e0ac4f..9f1bdf60b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -67,6 +67,8 @@ danbarry - bug #1918531 [compatibility] Navigation isn't w3.org valid thanks to Michael Keck - mkkeck - bug #1926357 [data] BIT defaults displayed incorrectly (todo: export?) +- patch #1930057 [auth] colon in password prevents HTTP login on CGI/IIS, + thanks to Jürgen Wind - windkiel 2.11.5.1 (2008-03-29) - bug #1909711 [security] Sensitive data in session files diff --git a/libraries/auth/http.auth.lib.php b/libraries/auth/http.auth.lib.php index 856ce1ef7..264996de0 100644 --- a/libraries/auth/http.auth.lib.php +++ b/libraries/auth/http.auth.lib.php @@ -136,10 +136,16 @@ function PMA_auth_check() } // Decode possibly encoded information (used by IIS/CGI/FastCGI) + // (do not use explode() because a user might have a colon in his password if (strcmp(substr($PHP_AUTH_USER, 0, 6), 'Basic ') == 0) { $usr_pass = base64_decode(substr($PHP_AUTH_USER, 6)); - if (!empty($usr_pass) && strpos($usr_pass, ':') !== false) { - list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(':', $usr_pass); + if (! empty($usr_pass)) { + $colon = strpos($usr_pass, ':'); + if ($colon) { + $PHP_AUTH_USER = substr($usr_pass, 0, $colon); + $PHP_AUTH_PW = substr($usr_pass, $colon + 1); + } + unset($colon); } unset($usr_pass); }