From 7e5453b3aac94fb0fb1771b4afa8af8d6626e960 Mon Sep 17 00:00:00 2001 From: disconn3ct Date: Fri, 8 Jul 2022 16:31:15 +0300 Subject: [PATCH] fix: lower-case remote usernames before validation Fixes a bug where users are saved lowercase but compared mixed-case. Only applies to upstreams that send non-lowercase usernames. No obvious security impact; it results in a unique key violation and not a successful login. --- plugins/auth_remote/init.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/auth_remote/init.php b/plugins/auth_remote/init.php index 3203d41fe..2fb45fdef 100644 --- a/plugins/auth_remote/init.php +++ b/plugins/auth_remote/init.php @@ -45,7 +45,7 @@ class Auth_Remote extends Auth_Base { foreach (["REMOTE_USER", "HTTP_REMOTE_USER", "REDIRECT_REMOTE_USER", "PHP_AUTH_USER"] as $hdr) { if (!empty($_SERVER[$hdr])) { - $try_login = $_SERVER[$hdr]; + $try_login = strtolower($_SERVER[$hdr]); break; } }