From 55e8473a7a87ebe85bcfa5cfb409ce9a9aeafdd0 Mon Sep 17 00:00:00 2001 From: Zach Copley Date: Wed, 10 Mar 2010 03:39:05 +0000 Subject: [PATCH] A blank username should never be allowed. --- lib/apiauth.php | 2 +- lib/util.php | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/apiauth.php b/lib/apiauth.php index f63c84d8f3..32502399f9 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -241,7 +241,7 @@ class ApiAuthAction extends ApiAction $realm = common_config('site', 'name') . ' API'; } - if (!isset($this->auth_user_nickname) && $required) { + if (empty($this->auth_user_nickname) && $required) { header('WWW-Authenticate: Basic realm="' . $realm . '"'); // show error if the user clicks 'cancel' diff --git a/lib/util.php b/lib/util.php index da2799d4f9..5bef88ecc1 100644 --- a/lib/util.php +++ b/lib/util.php @@ -133,6 +133,11 @@ function common_munge_password($password, $id) function common_check_user($nickname, $password) { + // empty nickname always unacceptable + if (empty($nickname)) { + return false; + } + $authenticatedUser = false; if (Event::handle('StartCheckPassword', array($nickname, $password, &$authenticatedUser))) { -- 2.39.5