mirror/FreshRSS
0
0
Fork 0
mirror of https://github.com/FreshRSS/FreshRSS.git synced 2026-05-18 13:24:37 -04:00
Code Issues Packages Projects Releases Wiki Activity

HTTP Auth disallow multiple headers (#7528)

Browse Source 
When using HTTP Auth methods (including OpenID Connect), exactly 1 HTTP header should be received, not more.
This commit is contained in:
Alexandre Alapetite
2025-04-28 22:51:54 +02:00
committed by GitHub
parent b20dd771d6
commit 6bb8680ae0
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/lib_rss.php
View File

@@ -813,6 +813,12 @@ function checkTrustedIP(): bool {
}
function httpAuthUser(bool $onlyTrusted = true): string {
$auths = array_intersect_key($_SERVER, ['REMOTE_USER' => '', 'REDIRECT_REMOTE_USER' => '', 'HTTP_REMOTE_USER' => '', 'HTTP_X_WEBAUTH_USER' => '']);
if (count($auths) > 1) {
Minz_Log::warning('Multiple HTTP authentication headers!');
return '';
}
if (!empty($_SERVER['REMOTE_USER']) && is_string($_SERVER['REMOTE_USER'])) {
return $_SERVER['REMOTE_USER'];
}