mirror of
https://github.com/kd2org/picodav.git
synced 2024-11-16 00:28:26 +01:00
Make sure we accept user if password is not set
FossilOrigin-Name: ecfae0dbe8a82c2826ff3f86ca3291d3c2345cc33d67125a91b541ffceb1c272
This commit is contained in:
parent
7291cfc910
commit
f2b3b9c051
2 changed files with 31 additions and 18 deletions
39
index.php
39
index.php
|
@ -1367,13 +1367,15 @@ namespace PicoDAV
|
||||||
$user = $_SERVER['PHP_AUTH_USER'] ?? null;
|
$user = $_SERVER['PHP_AUTH_USER'] ?? null;
|
||||||
$password = $_SERVER['PHP_AUTH_PW'] ?? null;
|
$password = $_SERVER['PHP_AUTH_PW'] ?? null;
|
||||||
|
|
||||||
$hash = $this->users[$user]['password'] ?? null;
|
if (!array_key_exists($user, $this->users)) {
|
||||||
|
|
||||||
if (!$hash) {
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!password_verify($password, $hash)) {
|
$hash = $this->users[$user]['password'] ?? null;
|
||||||
|
|
||||||
|
// If no password is set, we accept any password as we consider that a .htaccess/.htpasswd
|
||||||
|
// access has been granted
|
||||||
|
if (null !== $hash && !password_verify($password, $hash)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1940,11 +1942,11 @@ RewriteRule ^.*$ /index.php [END]
|
||||||
$fp = fopen(__FILE__, 'r');
|
$fp = fopen(__FILE__, 'r');
|
||||||
|
|
||||||
if ($relative_uri == '.webdav/webdav.js') {
|
if ($relative_uri == '.webdav/webdav.js') {
|
||||||
fseek($fp, 52608, SEEK_SET);
|
fseek($fp, 52782, SEEK_SET);
|
||||||
echo fread($fp, 27798);
|
echo fread($fp, 28039);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
fseek($fp, 52608 + 27798, SEEK_SET);
|
fseek($fp, 52782 + 28039, SEEK_SET);
|
||||||
echo fread($fp, 7004);
|
echo fread($fp, 7004);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2187,12 +2189,14 @@ const WebDAVNavigator = (url, options) => {
|
||||||
};
|
};
|
||||||
|
|
||||||
const wopi_init = async () => {
|
const wopi_init = async () => {
|
||||||
if (!wopi_discovery_url) {
|
try {
|
||||||
|
var d = await reqXML('GET', wopi_discovery_url);
|
||||||
|
}
|
||||||
|
catch (e) {
|
||||||
|
reloadListing();
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
var d = await reqXML('GET', wopi_discovery_url);
|
|
||||||
|
|
||||||
d.querySelectorAll('app').forEach(app => {
|
d.querySelectorAll('app').forEach(app => {
|
||||||
var mime = (a = app.getAttribute('name').match(/^.*\/.*$/)) ? a[0] : null;
|
var mime = (a = app.getAttribute('name').match(/^.*\/.*$/)) ? a[0] : null;
|
||||||
wopi_mimes[mime] = {};
|
wopi_mimes[mime] = {};
|
||||||
|
@ -2381,6 +2385,10 @@ const WebDAVNavigator = (url, options) => {
|
||||||
};
|
};
|
||||||
|
|
||||||
const formatDate = (date) => {
|
const formatDate = (date) => {
|
||||||
|
if (isNaN(date)) {
|
||||||
|
return '';
|
||||||
|
}
|
||||||
|
|
||||||
var now = new Date;
|
var now = new Date;
|
||||||
var nb_hours = (+(now) - +(date)) / 3600 / 1000;
|
var nb_hours = (+(now) - +(date)) / 3600 / 1000;
|
||||||
|
|
||||||
|
@ -2571,7 +2579,7 @@ const WebDAVNavigator = (url, options) => {
|
||||||
$('.download_all').onclick = download_all;
|
$('.download_all').onclick = download_all;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!root_permissions || root_permissions.indexOf('CK') != -1) {
|
if (!root_permissions || root_permissions.indexOf('C') != -1 || root_permissions.indexOf('K') != -1) {
|
||||||
$('.upload').insertAdjacentHTML('afterbegin', create_buttons);
|
$('.upload').insertAdjacentHTML('afterbegin', create_buttons);
|
||||||
|
|
||||||
$('.mkdir').onclick = () => {
|
$('.mkdir').onclick = () => {
|
||||||
|
@ -2793,6 +2801,9 @@ const WebDAVNavigator = (url, options) => {
|
||||||
if (location.pathname.indexOf(base_url) === 0) {
|
if (location.pathname.indexOf(base_url) === 0) {
|
||||||
current_url = location.pathname;
|
current_url = location.pathname;
|
||||||
}
|
}
|
||||||
|
else if (options.start_url) {
|
||||||
|
current_url = options.start_url;
|
||||||
|
}
|
||||||
|
|
||||||
if (!base_url.match(/^https?:/)) {
|
if (!base_url.match(/^https?:/)) {
|
||||||
base_url = location.href.replace(/^(https?:\/\/[^\/]+\/).*$/, '$1') + base_url.replace(/^\/+/, '');
|
base_url = location.href.replace(/^(https?:\/\/[^\/]+\/).*$/, '$1') + base_url.replace(/^\/+/, '');
|
||||||
|
@ -2806,11 +2817,10 @@ const WebDAVNavigator = (url, options) => {
|
||||||
|
|
||||||
document.querySelector('html').innerHTML = html_tpl;
|
document.querySelector('html').innerHTML = html_tpl;
|
||||||
|
|
||||||
|
// Wait for WOPI discovery before creating the list
|
||||||
if (wopi_discovery_url) {
|
if (wopi_discovery_url) {
|
||||||
// Wait for WOPI discovery before creating the list
|
|
||||||
wopi_init();
|
wopi_init();
|
||||||
}
|
} else {
|
||||||
else {
|
|
||||||
reloadListing();
|
reloadListing();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2900,6 +2910,7 @@ const WebDAVNavigator = (url, options) => {
|
||||||
|
|
||||||
if (url = document.querySelector('html').getAttribute('data-webdav-url')) {
|
if (url = document.querySelector('html').getAttribute('data-webdav-url')) {
|
||||||
WebDAVNavigator(url, {
|
WebDAVNavigator(url, {
|
||||||
|
'start_url' : document.querySelector('html').getAttribute('data-start-url'),
|
||||||
'wopi_discovery_url': document.querySelector('html').getAttribute('data-wopi-discovery-url'),
|
'wopi_discovery_url': document.querySelector('html').getAttribute('data-wopi-discovery-url'),
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
10
server.php
10
server.php
|
@ -43,13 +43,15 @@ namespace PicoDAV
|
||||||
$user = $_SERVER['PHP_AUTH_USER'] ?? null;
|
$user = $_SERVER['PHP_AUTH_USER'] ?? null;
|
||||||
$password = $_SERVER['PHP_AUTH_PW'] ?? null;
|
$password = $_SERVER['PHP_AUTH_PW'] ?? null;
|
||||||
|
|
||||||
$hash = $this->users[$user]['password'] ?? null;
|
if (!array_key_exists($user, $this->users)) {
|
||||||
|
|
||||||
if (!$hash) {
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!password_verify($password, $hash)) {
|
$hash = $this->users[$user]['password'] ?? null;
|
||||||
|
|
||||||
|
// If no password is set, we accept any password as we consider that a .htaccess/.htpasswd
|
||||||
|
// access has been granted
|
||||||
|
if (null !== $hash && !password_verify($password, $hash)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue