Commit ca474194 authored by lphuberdeau's avatar lphuberdeau

[MOD] Remove ability to authenticate using GET parameters, that is plain wrong...

[MOD] Remove ability to authenticate using GET parameters, that is plain wrong in the HTTP auth method and the commented code is broken by API changes
parent adf086a3
......@@ -399,10 +399,6 @@ class TikiAccessLib extends TikiLib
if( ! $tikidomain ) {
$tikidomain = "Default";
}
if (empty($_SERVER['PHP_AUTH_USER']) && !empty($_REQUEST['user']) && !empty($_REQUEST['pass'])) {
$_SERVER['PHP_AUTH_USER'] = $_REQUEST['user'];
$_SERVER['PHP_AUTH_PW'] = $_REQUEST['pass'];
}
if (! isset($_SERVER['PHP_AUTH_USER']) ) {
header('WWW-Authenticate: Basic realm="'.$tikidomain.'"');
......
......@@ -440,28 +440,6 @@ if (isset($_SESSION["$user_cookie_site"])) {
}
} else {
$user = NULL;
// if everything failed, check for user+pass params in the URL
// this is needed for access to things like RSS feeds that are configured to be
// be visible to registered users and/or certain groups
// #####################################################################################
// Note: if you uncomment the following section, people are allowed to log in using
// GET (username and password in URL). That is some kind of insecure, because
// password and username are not encrypted and visible and browser caches etc, besides
// that someone could try to break in with brute force attacks. So uncomment this only
// if you are in a trusted environment (maybe intranet) and want to ignore the risks.
// #####################################################################################
// $isvalid = false;
// if (isset($_REQUEST["user"]) && isset($_REQUEST["pass"])) {
// $isvalid = $userlib->validate_user($_REQUEST["user"], $_REQUEST["pass"], '', '');
// if ($isvalid) {
// $_SESSION["$user_cookie_site"] = $_REQUEST["user"];
// $user = $_REQUEST["user"];
// $smarty->assign_by_ref('user', $user);
// // Now since the user is valid we put the user provpassword as the password
// $userlib->confirm_user($user);
// }
// }
if ($prefs['login_http_basic'] === 'always' ||
($prefs['login_http_basic'] === 'ssl' && isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on')) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment