From 6bb8680ae0051b9a2ff344f17814f4fa5d844628 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Mon, 28 Apr 2025 22:51:54 +0200
Subject: HTTP Auth disallow multiple headers (#7528)

When using HTTP Auth methods (including OpenID Connect), exactly 1 HTTP header should be received, not more.
---
 lib/lib_rss.php | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'lib')

diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 73e1c62f0..fac7af60e 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -813,6 +813,12 @@ function checkTrustedIP(): bool {
 }
 
 function httpAuthUser(bool $onlyTrusted = true): string {
+	$auths = array_intersect_key($_SERVER, ['REMOTE_USER' => '', 'REDIRECT_REMOTE_USER' => '', 'HTTP_REMOTE_USER' => '', 'HTTP_X_WEBAUTH_USER' => '']);
+	if (count($auths) > 1) {
+		Minz_Log::warning('Multiple HTTP authentication headers!');
+		return '';
+	}
+
 	if (!empty($_SERVER['REMOTE_USER']) && is_string($_SERVER['REMOTE_USER'])) {
 		return $_SERVER['REMOTE_USER'];
 	}
-- 
cgit v1.2.3