git.cweiske.de
/
anoweco.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
adde865
)
Better authorization error handling
author
Christian Weiske
<cweiske@cweiske.de>
Thu, 19 Apr 2018 18:54:51 +0000
(20:54 +0200)
committer
Christian Weiske
<cweiske@cweiske.de>
Thu, 19 Apr 2018 18:54:51 +0000
(20:54 +0200)
www/micropub.php
patch
|
blob
|
history
diff --git
a/www/micropub.php
b/www/micropub.php
index eff6ea7f26fde64042859ad3a79d36fa06e486fb..c0c01b4c4864ab5e3ce595cb9da4a428e81c276a 100644
(file)
--- a/
www/micropub.php
+++ b/
www/micropub.php
@@
-111,9
+111,13
@@
function handleCreate($json, $token)
function getTokenFromHeader()
{
function getTokenFromHeader()
{
- if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
+ if (isset($_SERVER['HTTP_AUTHORIZATION'])
+ && $_SERVER['HTTP_AUTHORIZATION'] != ''
+ ) {
$auth = $_SERVER['HTTP_AUTHORIZATION'];
$auth = $_SERVER['HTTP_AUTHORIZATION'];
- } else if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
+ } else if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])
+ && $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] != ''
+ ) {
//php-cgi has it there
$auth = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
} else {
//php-cgi has it there
$auth = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
} else {
@@
-122,11
+126,17
@@
function getTokenFromHeader()
'Authorization HTTP header missing'
);
}
'Authorization HTTP header missing'
);
}
+ if (strpos($auth, ' ') === false) {
+ mpError(
+ 'HTTP/1.0 403 Forbidden', 'forbidden',
+ 'Authorization header must start with "Bearer "'
+ );
+ }
list($bearer, $token) = explode(' ', $auth, 2);
if ($bearer !== 'Bearer') {
mpError(
'HTTP/1.0 403 Forbidden', 'forbidden',
list($bearer, $token) = explode(' ', $auth, 2);
if ($bearer !== 'Bearer') {
mpError(
'HTTP/1.0 403 Forbidden', 'forbidden',
- 'Authorization header must start with "Bearer"'
+ 'Authorization header must start with "Bearer
"'
);
}
return trim($token);
);
}
return trim($token);