Source: awl
Version: 0.53-1
Severity: normal
Tags: patch upstream

Hi.

The CGI specification (https://tools.ietf.org/html/rfc3875#section-4.1.1) 
defines the
AUTH_TYPE variable to be case-insensitive.
Currently this is not supported by awl.

Attached is a patch that corrects this (please check it for mistakes)
I've tried it with Davical... and it seems to work.


Cheers,
Chris.
Index: awl/inc/Session.php
===================================================================
--- awl.orig/inc/Session.php	2012-01-14 22:33:41.000000000 +0100
+++ awl/inc/Session.php	2013-03-19 00:53:13.221564085 +0100
@@ -827,11 +827,11 @@
       * The authentication should have happened in the server, and we should accept it if so.
       */
       if ( is_array($c->authenticate_hook['server_auth_type']) ) {
-        if ( in_array($_SERVER['AUTH_TYPE'], $c->authenticate_hook['server_auth_type'])) {
+        if ( in_array( strtolower($_SERVER['AUTH_TYPE']), array_map('strtolower', $c->authenticate_hook['server_auth_type']) )) {
           $this->Login($_SERVER['REMOTE_USER'], "", true);  // Password will not be checked.
         }
       }
-      else if ( $c->authenticate_hook['server_auth_type'] == $_SERVER['AUTH_TYPE'] ) {
+      else if ( strtolower($c->authenticate_hook['server_auth_type']) == strtolower($_SERVER['AUTH_TYPE']) ) {
         /**
         * Perhaps this 'split' is not a good idea though.  People may want to use the
         * full ID as the username.  A further option may be desirable.

Reply via email to