Changeset 1202 for plugins/httpPassword

Timestamp:

06/05/09 13:25:03 (14 years ago)

Author:

wattoo

Message:

Correction d'un bug de securite (mauvaise prise en compte du couple login/password).
Il n'y a pas a dire, developpeur c est un metier

Location:

plugins/httpPassword

Files:

• _define.php (modified) (1 diff)
• _public.php (modified) (1 diff)

plugins/httpPassword/_define.php

@@ -16 +16 @@
      /* Description*/    "Manage .htpasswd file to make the blog private",
      /* Author */        "Frederic PLE <dotclear@frederic.ple.name>",
-     /* Version */       '0.5.2',
+     /* Version */       '0.5.3',
      /* Permissions */   'httpPassword'
 );

plugins/httpPassword/_public.php

@@ -62 +62 @@
                list($cur_user,$cur_pass) = explode(':',trim($ligne),2);
                httpPassword::__debuglog($core,'cur_user: '.$cur_user.'      cur_pass: '.$cur_pass);
-               if (crypt($PHP_AUTH_PW,$cur_pass) == $cur_pass) {
+               if ($cur_user == $PHP_AUTH_USER and crypt($PHP_AUTH_PW,$cur_pass) == $cur_pass) {
                     $authenticated = true;
                     httpPassword::__debuglog($core,'        OK');