1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
Description: Don't use underscores in request header variables
Andreas B. Mundt <andi.mundt@web.de>
Since Apache2.4: Translation of headers to environment variables is more
strict than before to mitigate some possible cross-site-scripting attacks
via header injection. Headers containing invalid characters (including
underscores) are now silently dropped.
@@ -51,7 +51,7 @@ if (file_exists("/etc/gosa/gosa.secrets"
} else {
echo "* creating /etc/gosa/gosa.secrets\n";
$fp = fopen("/etc/gosa/gosa.secrets", 'w') or die("Cannot open /etc/gosa/gosa.secrets for writing - aborted");
- fwrite($fp, "RequestHeader set GOSA_KEY $master_key\n");
+ fwrite($fp, "RequestHeader set GOSAKEY $master_key\n");
fclose($fp);
chmod ("/etc/gosa/gosa.secrets", 0600);
chown ("/etc/gosa/gosa.secrets", "root");
@@ -301,14 +301,14 @@ class config {
function get_credentials($creds)
{
- if (isset($_SERVER['HTTP_GOSA_KEY'])){
- if (!session::global_is_set('HTTP_GOSA_KEY_CACHE')){
- session::global_set('HTTP_GOSA_KEY_CACHE',array());
+ if (isset($_SERVER['HTTP_GOSAKEY'])){
+ if (!session::global_is_set('HTTP_GOSAKEY_CACHE')){
+ session::global_set('HTTP_GOSAKEY_CACHE',array());
}
- $cache = session::global_get('HTTP_GOSA_KEY_CACHE');
+ $cache = session::global_get('HTTP_GOSAKEY_CACHE');
if(!isset($cache[$creds])){
- $cache[$creds] = cred_decrypt($creds, $_SERVER['HTTP_GOSA_KEY']);
- session::global_set('HTTP_GOSA_KEY_CACHE',$cache);
+ $cache[$creds] = cred_decrypt($creds, $_SERVER['HTTP_GOSAKEY']);
+ session::global_set('HTTP_GOSAKEY_CACHE',$cache);
}
return ($cache[$creds]);
}
|
