[mythtv] Simple MythWeb hack...help needed

[Mark Edwards]

On Nov 15, 2007 6:58 PM, Bill Williamson <bill at bbqninja.com> wrote:


> Hmmm...is that really true?  My OpenID provider is VeriSign and I'm pretty
> sure they only allow https for requests.



Yes.  The final step in OpenID (or most other SSO schemes) is a 
redirect back to your site with a token.  If YOUR site is not SSL,
then you are vulnerable to MITM attacks.


OK, I see your point now.  I'll have to look into that as well then (not a
bad thing to implement anyway).  I suppose I'll have to get a free
certificate which means those annoying popup dialogs warning me my site
isn't "secure".  I suppose that is a small price to pay. 

Back to the topic at hand...anybody have any suggestions on my next step
(either how to get Apache to do authorization or how to put some simple
authorization hack into MythWeb)?

--

I have a patch for (very) simple protection of certain pages.
 
Basically in the handler.php I add something like this:
+// Privileged page?
+    if (in_array($Path[1], array('tv', 'mythtv', 'stream', 'weather')) ) {
+       if (!isset($_SERVER['PHP_AUTH_USER'])) {
+           header('WWW-Authenticate: Basic realm="irishmark.co.uk"');
+           header('HTTP/1.0 401 Unauthorized');
+           echo 'denied';
+           exit;
+        }
+    }
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mythtv.org/pipermail/mythtv-dev/attachments/20071116/1f660c9a/attachment.htm