From 31c89db246a2e4704e3d4c3784c5406fbd084bb6 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Sun, 14 May 2017 14:44:43 +0100
Subject: httpauth: If REMOTE_USER is empty, behave as though it was unset

A frequently cut-and-pasted HTTP basic authentication configuration
for nginx sets it to the empty string when not authenticated, which
is not useful.
---
 debian/changelog | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'debian')

diff --git a/debian/changelog b/debian/changelog
index d3576c528..005c811d3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ ikiwiki (3.20170112) UNRELEASED; urgency=medium
   * t/git-cgi.t: Wait 1 second before doing a revert that should work.
     This hopefully fixes a race condition in which the test failed
     around 6% of the time. (Closes: 862494)
+  * Guard against set-but-empty REMOTE_USER CGI variable on
+    misconfigured nginx servers, and in general treat sessions with
+    a set-but-empty name as if they were not signed in.
 
  -- Simon McVittie <smcv@debian.org>  Sun, 14 May 2017 15:34:52 +0100
 
-- 
cgit v1.2.3