diff options
| author | Marc Delisle <marc@infomarc.info> | 2012-02-26 17:10:30 +0400 |
|---|---|---|
| committer | Marc Delisle <marc@infomarc.info> | 2012-02-26 17:10:30 +0400 |
| commit | 803e5fcd07e2db7b7e5aa54438bcedf6dea535ba (patch) | |
| tree | f5d2b91323dc6deaa257102af465aee0d5ec3093 /libraries/auth | |
| parent | 8481a0265d931722eb57333f627c183cd02627ad (diff) | |
No longer globalize HTTP_AUTHORIZATION
Diffstat (limited to 'libraries/auth')
| -rw-r--r-- | libraries/auth/http.auth.lib.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libraries/auth/http.auth.lib.php b/libraries/auth/http.auth.lib.php index 7a84eeac68..96b07c5ac6 100644 --- a/libraries/auth/http.auth.lib.php +++ b/libraries/auth/http.auth.lib.php @@ -118,8 +118,8 @@ function PMA_auth_check() } elseif (PMA_getenv('AUTH_USER')) { // WebSite Professional $PHP_AUTH_USER = PMA_getenv('AUTH_USER'); - } elseif (PMA_getenv('HTTP_AUTHORIZATION')) { - // IIS, might be encoded, see below + } elseif (PMA_getenv('HTTP_AUTHORIZATION') && false === strpos(PMA_getenv('HTTP_AUTHORIZATION'), '<')) { + // IIS, might be encoded, see below; also prevent XSS $PHP_AUTH_USER = PMA_getenv('HTTP_AUTHORIZATION'); } elseif (PMA_getenv('Authorization')) { // FastCGI, might be encoded, see below |