nette/http

If website has nginx restricted access by `auth_basic_user_file` $httpRequest->getUrl()->getAbsoluteUrl() returns path with auth parameters included

tkorcina opened this issue · 1 comments

Version: v3.1.6

Bug Description

When I use the $httpRequest->getUrl()->getAbsoluteUrl() on website on nginx with restricted basic authorization
(auth_basic_user_file directive with a path to the .htpasswd file) it returns the path with the login and unhashed password from the file.

https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/


Example:

.htpasswd file:

user1:$apr1$/woC1jnP$KAh0SsVn5qeSMjTtn0E9Q0

echo $httpRequest->getUrl()->getAbsoluteUrl() returns:

"https://user1:realWorkingPassword@www.example.com"

This might have been already fixed in master #211