From 945cf832ad2c20c10704282d03326d8495d0ca4b Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Wed, 2 Jan 2019 21:43:05 +0100
Subject: HTTP authenfication fixes (#2204)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Security fixes when HTTP user does not exist in FreshRSS
* Accept HTTP header X-WebAuth-User for delegated HTTP Authentication (e.g. Træfik)
* Document delegated HTTP authentication from https://github.com/FreshRSS/FreshRSS/pull/2202
---
 app/Controllers/authController.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'app/Controllers')

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index 5ad1a51d9..3b2d78b19 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -79,8 +79,12 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 			Minz_Request::forward(array('c' => 'auth', 'a' => 'formLogin'));
 			break;
 		case 'http_auth':
+			Minz_Error::error(403, array('error' => array(_t('feedback.access.denied'),
+					' [HTTP Remote-User=' . htmlspecialchars(httpAuthUser(), ENT_NOQUOTES, 'UTF-8') . ']'
+				)), false);
+			break;
 		case 'none':
-			// It should not happened!
+			// It should not happen!
 			Minz_Error::error(404);
 		default:
 			// TODO load plugin instead
-- 
cgit v1.2.3