Hi Johannes, Thank you for fixing! Should I try now?
Regards, -- Yasuo Ohgaki yohg...@ohgaki.net On Thu, Nov 21, 2013 at 7:42 AM, Johannes Schlüter <johan...@php.net> wrote: > Commit: 6af377de63c31c5ea08233f421126feade9dea9a > Author: Johannes Schlüter <johan...@schlueters.de> Wed, 20 Nov > 2013 23:42:04 +0100 > Parents: f8eedcc9f478a73190b1c05002a2c9e0d114e492 > Branches: master > > Link: > http://git.php.net/?p=web/qa.git;a=commitdiff;h=6af377de63c31c5ea08233f421126feade9dea9a > > Log: > Switch to token based authentication > > Changed paths: > M pulls/api.php > M pulls/config.php.in > M pulls/index.php > > > Diff: > diff --git a/pulls/api.php b/pulls/api.php > index a878b3e..a23e166 100644 > --- a/pulls/api.php > +++ b/pulls/api.php > @@ -60,16 +60,19 @@ function do_http_request($url, $opts) > if (empty($opts['user_agent'])) { > $opts['user_agent'] = USER_AGENT; > } > + // IMPORTANT $opts might be logged. Make sure token is removed > from log! > + $opts['header'] = 'Authorization: token '.GITHUB_TOKEN; > > $ctxt = stream_context_create(array('http' => $opts)); > - $actual_url = str_replace('https://', 'https:// > '.GITHUB_USER.':'.GITHUB_PASS.'@', $url); > > $old_track_errors = ini_get('track_errors'); > ini_set('track_errors', true); > - $s = @file_get_contents($actual_url, false, $ctxt); > + $s = @file_get_contents($url, false, $ctxt); > ini_set('track_errors', $old_track_errors); > > if (isset($_SESSION['debug']['requests'])) { > + // The token shall not be leaked! > + $opts['header'] = 'Authorization: token (secret)'; > $_SESSION['debug']['requests'][] = array( > 'url' => $url, > 'opts'=> $opts, > @@ -80,13 +83,7 @@ function do_http_request($url, $opts) > > if (!$s) { > $errors[] = "Server responded: ".$http_response_header[0]; > - $errors[] = "Github user: ".GITHUB_USER; > - if ($_SESSION['user'] === 'johannes') { > - /* This might include the password or such, so not > everybody should get it > - The good news is that the HTTP Status code > usually is a good enough hint > - */ > - $errors[] = $php_errormsg; > - } > + $errors[] = $php_errormsg; > return false; > } > return $s; > diff --git a/pulls/config.php.in b/pulls/config.php.in > index ec65f53..15e2d86 100644 > --- a/pulls/config.php.in > +++ b/pulls/config.php.in > @@ -1,5 +1,11 @@ > <?php > const GITHUB_BASEURL = 'https://api.github.com/'; > const GITHUB_ORG = 'php'; > -const GITHUB_USER = '....'; > -const GITHUB_PASS = '....'; > + > +/* > +Github tokens can be generated using "Personal Access Tokens" on > +https://github.com/settings/applications after logging in as the user > +they should belong to. On php.net this is the php-pulls user. On > +test setups this might be your normal user. > +*/ > +const GITHUB_TOKEN = '....'; > diff --git a/pulls/index.php b/pulls/index.php > index 62ed205..12a7404 100644 > --- a/pulls/index.php > +++ b/pulls/index.php > @@ -135,7 +135,7 @@ if (!getenv('AUTH_TOKEN')) { > echo '<div style="width: 100%; border: 2px solid red; > padding:10px;"><b>Error:</b> AUTH_TOKEN not set</div><br>'; > } > > -if (!constant('GITHUB_PASS')) { > +if (!constant('GITHUB_TOKEN')) { > echo '<div style="width: 100%; border: 2px solid red; > padding:10px;"><b>Error:</b> config.php not configured > correctly.</div><br>'; > common_footer(); > exit; > > > -- > PHP Quality Assurance Mailing List <http://www.php.net/> > To unsubscribe, visit: http://www.php.net/unsub.php > >
