aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--IkiWiki/Plugin/httpauth.pm6
-rw-r--r--debian/changelog3
-rw-r--r--doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn4
3 files changed, 10 insertions, 3 deletions
diff --git a/IkiWiki/Plugin/httpauth.pm b/IkiWiki/Plugin/httpauth.pm
index 76d574b2a..041eaebc9 100644
--- a/IkiWiki/Plugin/httpauth.pm
+++ b/IkiWiki/Plugin/httpauth.pm
@@ -66,7 +66,7 @@ sub auth ($$) {
my $cgi=shift;
my $session=shift;
- if (defined $cgi->remote_user()) {
+ if (length $cgi->remote_user()) {
$session->param("name", $cgi->remote_user());
}
}
@@ -80,7 +80,7 @@ sub formbuilder_setup (@) {
my $buttons=$params{buttons};
if ($form->title eq "signin" &&
- ! defined $cgi->remote_user() && defined $config{cgiauthurl}) {
+ ! length $cgi->remote_user() && defined $config{cgiauthurl}) {
my $button_text="Login with HTTP auth";
push @$buttons, $button_text;
@@ -97,7 +97,7 @@ sub canedit ($$$) {
my $cgi=shift;
my $session=shift;
- if (! defined $cgi->remote_user() &&
+ if (! length $cgi->remote_user() &&
(! defined $session->param("name") ||
! IkiWiki::userinfo_get($session->param("name"), "regdate")) &&
defined $config{httpauth_pagespec} &&
diff --git a/debian/changelog b/debian/changelog
index d3576c528..005c811d3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ ikiwiki (3.20170112) UNRELEASED; urgency=medium
* t/git-cgi.t: Wait 1 second before doing a revert that should work.
This hopefully fixes a race condition in which the test failed
around 6% of the time. (Closes: 862494)
+ * Guard against set-but-empty REMOTE_USER CGI variable on
+ misconfigured nginx servers, and in general treat sessions with
+ a set-but-empty name as if they were not signed in.
-- Simon McVittie <smcv@debian.org> Sun, 14 May 2017 15:34:52 +0100
diff --git a/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn b/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn
index 02d43e827..5fa1aaa61 100644
--- a/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn
+++ b/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn
@@ -81,6 +81,10 @@ It seems I can't log out from nowhere. I've rebuild the wiki from the command li
> with one of a limited set of authorized usernames.
>
> --[[smcv]]
+>
+>> If my theory is correct, ikiwiki git master now works around this, and the
+>> [[plugins/httpauth]] documentation now recommends a more correct configuration.
+>> --[[smcv]]
---