Check for REDIRECT_REMOTE_USER as well

diff --git a/src/Module/OAuth/Token.php b/src/Module/OAuth/Token.php
index 715cabeaf2ea3ffcff577a7467f3daee8ac97dfe..1a2fff5254b6c681b0e53eaebbef564ab2540560 100644 (file)
--- a/src/Module/OAuth/Token.php
+++ b/src/Module/OAuth/Token.php
@@ -46,8 +46,14 @@ class Token extends BaseApi
                ]);
 
                // AndStatus transmits the client data in the AUTHORIZATION header field, see https://github.com/andstatus/andstatus/issues/530
-               if (empty($request['client_id']) && !empty($_SERVER['HTTP_AUTHORIZATION']) && (substr($_SERVER['HTTP_AUTHORIZATION'], 0, 6) == 'Basic ')) {
-                       $datapair = explode(':', base64_decode(trim(substr($_SERVER['HTTP_AUTHORIZATION'], 6))));
+               $authorization = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
+               if (empty($authorization)) {
+                       // workaround for HTTP-auth in CGI mode
+                       $authorization = $_SERVER['REDIRECT_REMOTE_USER'] ?? '';
+               }
+
+               if (empty($request['client_id']) && !empty($authorization) && (substr($authorization, 0, 6) == 'Basic ')) {
+                       $datapair = explode(':', base64_decode(trim(substr($authorization, 6))));
                        if (count($datapair) == 2) {
                                $request['client_id']     = $datapair[0];
                                $request['client_secret'] = $datapair[1];

diff --git a/src/Security/BasicAuth.php b/src/Security/BasicAuth.php
index b76073e8b328f1dbccf2388d6e16fe8e01958551..070c6500d3582a7104c66650193359e5ec34bb31 100644 (file)
--- a/src/Security/BasicAuth.php
+++ b/src/Security/BasicAuth.php
@@ -124,7 +124,7 @@ class BasicAuth
                // workaround for HTTP-auth in CGI mode
                if (!empty($_SERVER['REDIRECT_REMOTE_USER'])) {
                        $userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6));
-                       if (strlen($userpass)) {
+                       if (!empty($userpass) && strpos($userpass, ':')) {
                                list($name, $password) = explode(':', $userpass);
                                $_SERVER['PHP_AUTH_USER'] = $name;
                                $_SERVER['PHP_AUTH_PW'] = $password;

diff --git a/src/Security/OAuth.php b/src/Security/OAuth.php
index 7210df8c2ede2e687668a5dd4829a8954fa81b1a..2f5dd396410bba4f1634b34ec5b7af415b71272d 100644 (file)
--- a/src/Security/OAuth.php
+++ b/src/Security/OAuth.php
@@ -83,6 +83,11 @@ class OAuth
        {
                $authorization = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
 
+               if (empty($authorization)) {
+                       // workaround for HTTP-auth in CGI mode
+                       $authorization = $_SERVER['REDIRECT_REMOTE_USER'] ?? '';
+               }
+
                if (substr($authorization, 0, 7) != 'Bearer ') {
                        return [];
                }