Setting authorization header globally in basicauth.php is dangerous (fix for #141)

nextcloud / user_external

👥 External user authentication methods like IMAP, SMB and FTP

https://apps.nextcloud.com/apps/user_external

108 stars 64 forks source link

Setting authorization header globally in basicauth.php is dangerous (fix for #141) #142

Closed bjoernv closed 4 years ago

bjoernv commented 4 years ago

Fixes #141

Changes proposed in this pull request:

Authorization header for OC_User_BasicAuth is now set with locally stream context instead globally with stream_context_set_default function.
HTTP Redirects in OC_User_BasicAuth are disabled now, so authorization header can not be forwared to foreign servers.

nerdmaennchen commented 4 years ago

Hey there.

Thank you so much for bringing this up! Indeed this is a serious flaw and your fix looks good. I also agree that disabling follow_location is the better default behavior

Thanks again!