diff options
| author | Simon McVittie <smcv@debian.org> | 2017-05-14 14:44:43 +0100 |
|---|---|---|
| committer | Simon McVittie <smcv@debian.org> | 2017-05-14 15:37:45 +0100 |
| commit | 31c89db246a2e4704e3d4c3784c5406fbd084bb6 (patch) | |
| tree | 7b70561571723693e4f3ab1d7f0d59ac447829c9 | |
| parent | 59daf36cb2dfa289814fd89778f6c0000b6d870a (diff) | |
| download | ikiwiki-31c89db246a2e4704e3d4c3784c5406fbd084bb6.tar ikiwiki-31c89db246a2e4704e3d4c3784c5406fbd084bb6.tar.gz | |
httpauth: If REMOTE_USER is empty, behave as though it was unset
A frequently cut-and-pasted HTTP basic authentication configuration
for nginx sets it to the empty string when not authenticated, which
is not useful.
| -rw-r--r-- | IkiWiki/Plugin/httpauth.pm | 6 | ||||
| -rw-r--r-- | debian/changelog | 3 | ||||
| -rw-r--r-- | doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn | 4 |
3 files changed, 10 insertions, 3 deletions
diff --git a/IkiWiki/Plugin/httpauth.pm b/IkiWiki/Plugin/httpauth.pm index 76d574b2a..041eaebc9 100644 --- a/IkiWiki/Plugin/httpauth.pm +++ b/IkiWiki/Plugin/httpauth.pm @@ -66,7 +66,7 @@ sub auth ($$) { my $cgi=shift; my $session=shift; - if (defined $cgi->remote_user()) { + if (length $cgi->remote_user()) { $session->param("name", $cgi->remote_user()); } } @@ -80,7 +80,7 @@ sub formbuilder_setup (@) { my $buttons=$params{buttons}; if ($form->title eq "signin" && - ! defined $cgi->remote_user() && defined $config{cgiauthurl}) { + ! length $cgi->remote_user() && defined $config{cgiauthurl}) { my $button_text="Login with HTTP auth"; push @$buttons, $button_text; @@ -97,7 +97,7 @@ sub canedit ($$$) { my $cgi=shift; my $session=shift; - if (! defined $cgi->remote_user() && + if (! length $cgi->remote_user() && (! defined $session->param("name") || ! IkiWiki::userinfo_get($session->param("name"), "regdate")) && defined $config{httpauth_pagespec} && diff --git a/debian/changelog b/debian/changelog index d3576c528..005c811d3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,9 @@ ikiwiki (3.20170112) UNRELEASED; urgency=medium * t/git-cgi.t: Wait 1 second before doing a revert that should work. This hopefully fixes a race condition in which the test failed around 6% of the time. (Closes: 862494) + * Guard against set-but-empty REMOTE_USER CGI variable on + misconfigured nginx servers, and in general treat sessions with + a set-but-empty name as if they were not signed in. -- Simon McVittie <smcv@debian.org> Sun, 14 May 2017 15:34:52 +0100 diff --git a/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn b/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn index 02d43e827..5fa1aaa61 100644 --- a/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn +++ b/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn @@ -81,6 +81,10 @@ It seems I can't log out from nowhere. I've rebuild the wiki from the command li > with one of a limited set of authorized usernames. > > --[[smcv]] +> +>> If my theory is correct, ikiwiki git master now works around this, and the +>> [[plugins/httpauth]] documentation now recommends a more correct configuration. +>> --[[smcv]] --- |