From c0f7266e11b587f26020a2448632e125bfebeb66 Mon Sep 17 00:00:00 2001 From: Jason Coward Date: Tue, 4 Jun 2013 12:21:44 -0600 Subject: [PATCH] Prevent empty HTTP_MODAUTH from succeeding --- core/docs/changelog.txt | 1 + core/model/modx/modconnectorresponse.class.php | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/core/docs/changelog.txt b/core/docs/changelog.txt index 231f84c5de3..1458f422c3d 100755 --- a/core/docs/changelog.txt +++ b/core/docs/changelog.txt @@ -4,6 +4,7 @@ development release, and is only shown to give an idea of what's currently in th MODX Revolution 2.2.8-pl (June 4, 2013) ==================================== +- Prevent empty HTTP_MODAUTH from succeeding - [#9450] Prevent non-existent Context initialization - [#9896] Improve performance of modTemplateVar::getRenderDirectories() - [#9859] Prevent conditional output filter recursion diff --git a/core/model/modx/modconnectorresponse.class.php b/core/model/modx/modconnectorresponse.class.php index 70250e7e712..36280ae094e 100644 --- a/core/model/modx/modconnectorresponse.class.php +++ b/core/model/modx/modconnectorresponse.class.php @@ -83,7 +83,7 @@ function __construct(modX & $modx) { * * {@inheritdoc} */ - public function outputContent(array $options = array()) { + public function outputContent(array $options = array()) { /* variable pointer for easier access */ $modx =& $this->modx; @@ -96,7 +96,7 @@ public function outputContent(array $options = array()) { $isLogin = $target == 'login'; /* ensure headers are sent for proper authentication */ - if (!$isLogin && !isset($_SERVER['HTTP_MODAUTH']) && !isset($_REQUEST['HTTP_MODAUTH'])) { + if (!$isLogin && !isset($_SERVER['HTTP_MODAUTH']) && (!isset($_REQUEST['HTTP_MODAUTH']) || empty($_REQUEST['HTTP_MODAUTH']))) { $this->responseCode = 401; $this->body = $modx->error->failure($modx->lexicon('access_denied'),array('code' => 401));