Source: davical
Version: 1.1.1-1
Severity: minor
Tags: patch upstream

Hi.

This is analogous to #703381.


The CGI specification (https://tools.ietf.org/html/rfc3875#section-4.1.1) 
defines the
AUTH_TYPE variable to be case-insensitive.
Currently this is not supported by awl.

Attached is a patch that corrects this (please check it for mistakes)
I've tried it... and it seems to work.

Cheers,
Chris.


btw: This patch is needed for the auth system for caldav.php, the patch on awl 
is needed for
the auth system for the davical admin interface.
Index: davical/inc/HTTPAuthSession.php
===================================================================
--- davical.orig/inc/HTTPAuthSession.php	2012-03-16 00:54:58.000000000 +0100
+++ davical/inc/HTTPAuthSession.php	2013-03-19 00:54:04.744586930 +0100
@@ -114,10 +114,10 @@
     else if ( isset($c->authenticate_hook['server_auth_type'])
               && isset($_SERVER['REMOTE_USER']) && !empty($_SERVER['REMOTE_USER'])) {
       if ( ( is_array($c->authenticate_hook['server_auth_type'])
-                    && in_array($_SERVER['AUTH_TYPE'], $c->authenticate_hook['server_auth_type']) )
+                    && in_array( strtolower($_SERVER['AUTH_TYPE']), array_map('strtolower', $c->authenticate_hook['server_auth_type'])) )
          ||
            ( !is_array($c->authenticate_hook['server_auth_type'])
-                    && $c->authenticate_hook['server_auth_type'] == $_SERVER['AUTH_TYPE'] )
+                    && strtolower($c->authenticate_hook['server_auth_type']) == strtolower($_SERVER['AUTH_TYPE']) )
          ) {
         /**
         * The authentication has happened in the server, and we should accept it.

Reply via email to