Source: awl
Version: 0.53-1
Severity: normal
Tags: patch upstream
Hi.
The CGI specification (https://tools.ietf.org/html/rfc3875#section-4.1.1)
defines the
AUTH_TYPE variable to be case-insensitive.
Currently this is not supported by awl.
Attached is a patch that corrects this (please check it for mistakes)
I've tried it with Davical... and it seems to work.
Cheers,
Chris.
Index: awl/inc/Session.php
===================================================================
--- awl.orig/inc/Session.php 2012-01-14 22:33:41.000000000 +0100
+++ awl/inc/Session.php 2013-03-19 00:53:13.221564085 +0100
@@ -827,11 +827,11 @@
* The authentication should have happened in the server, and we should accept it if so.
*/
if ( is_array($c->authenticate_hook['server_auth_type']) ) {
- if ( in_array($_SERVER['AUTH_TYPE'], $c->authenticate_hook['server_auth_type'])) {
+ if ( in_array( strtolower($_SERVER['AUTH_TYPE']), array_map('strtolower', $c->authenticate_hook['server_auth_type']) )) {
$this->Login($_SERVER['REMOTE_USER'], "", true); // Password will not be checked.
}
}
- else if ( $c->authenticate_hook['server_auth_type'] == $_SERVER['AUTH_TYPE'] ) {
+ else if ( strtolower($c->authenticate_hook['server_auth_type']) == strtolower($_SERVER['AUTH_TYPE']) ) {
/**
* Perhaps this 'split' is not a good idea though. People may want to use the
* full ID as the username. A further option may be desirable.