From a01c1f6ab0d6409c9e3408108e0fc69fd287b9f1 Mon Sep 17 00:00:00 2001 From: Dag Date: Mon, 6 Mar 2023 20:43:44 +0100 Subject: [PATCH] fix: disallow usage of default password (#3284) --- config.default.ini.php | 4 ++-- lib/AuthenticationMiddleware.php | 7 +++++++ lib/RssBridge.php | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/config.default.ini.php b/config.default.ini.php index 17bfc702..2432d784 100644 --- a/config.default.ini.php +++ b/config.default.ini.php @@ -75,8 +75,8 @@ enable = false username = "admin" -; This default password is public knowledge. Replace it. -password = "7afbf648a369b261" +; The password cannot be the empty string if authentication is enabled. +password = "" ; This will be used only for actions that require privileged access access_token = "" diff --git a/lib/AuthenticationMiddleware.php b/lib/AuthenticationMiddleware.php index 4c554a42..c77e1b91 100644 --- a/lib/AuthenticationMiddleware.php +++ b/lib/AuthenticationMiddleware.php @@ -14,6 +14,13 @@ final class AuthenticationMiddleware { + public function __construct() + { + if (Configuration::getConfig('authentication', 'password') === '') { + throw new \Exception('The authentication password cannot be the empty string'); + } + } + public function __invoke(): void { $user = $_SERVER['PHP_AUTH_USER'] ?? null; diff --git a/lib/RssBridge.php b/lib/RssBridge.php index 7e79a423..ce895bf2 100644 --- a/lib/RssBridge.php +++ b/lib/RssBridge.php @@ -63,8 +63,8 @@ final class RssBridge // Consider: ini_set('error_reporting', E_ALL & ~E_DEPRECATED); date_default_timezone_set(Configuration::getConfig('system', 'timezone')); - $authenticationMiddleware = new AuthenticationMiddleware(); if (Configuration::getConfig('authentication', 'enable')) { + $authenticationMiddleware = new AuthenticationMiddleware(); $authenticationMiddleware(); }