diff options
| author | Alexandre Alapetite <alexandre@alapetite.fr> | 2025-04-28 22:51:54 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-04-28 22:51:54 +0200 |
| commit | 6bb8680ae0051b9a2ff344f17814f4fa5d844628 (patch) | |
| tree | ccd5f467980f8a2e92232c5245ad0d65c44f0aa4 | |
| parent | b20dd771d6aacb7d3a8ea043379157e2ee61ef33 (diff) | |
| download | freshrss-edge.tar.gz freshrss-edge.zip | |
When using HTTP Auth methods (including OpenID Connect), exactly 1 HTTP header should be received, not more.
| -rw-r--r-- | lib/lib_rss.php | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 73e1c62f0..fac7af60e 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -813,6 +813,12 @@ function checkTrustedIP(): bool { } function httpAuthUser(bool $onlyTrusted = true): string { + $auths = array_intersect_key($_SERVER, ['REMOTE_USER' => '', 'REDIRECT_REMOTE_USER' => '', 'HTTP_REMOTE_USER' => '', 'HTTP_X_WEBAUTH_USER' => '']); + if (count($auths) > 1) { + Minz_Log::warning('Multiple HTTP authentication headers!'); + return ''; + } + if (!empty($_SERVER['REMOTE_USER']) && is_string($_SERVER['REMOTE_USER'])) { return $_SERVER['REMOTE_USER']; } |