httpauth: If REMOTE_USER is empty, behave as though it was unset

A frequently cut-and-pasted HTTP basic authentication configuration
for nginx sets it to the empty string when not authenticated, which
is not useful.

IkiWiki/Plugin/httpauth.pm

@@ -66,7 +66,7 @@ sub auth ($$) {
 	my $cgi=shift;
 	my $session=shift;
 
-	if (defined $cgi->remote_user()) {
+	if (length $cgi->remote_user()) {
 		$session->param("name", $cgi->remote_user());
 	}
 }
@@ -80,7 +80,7 @@ sub formbuilder_setup (@) {
 	my $buttons=$params{buttons};
 
 	if ($form->title eq "signin" &&
-	    ! defined $cgi->remote_user() && defined $config{cgiauthurl}) {
+	    ! length $cgi->remote_user() && defined $config{cgiauthurl}) {
 		my $button_text="Login with HTTP auth";
 		push @$buttons, $button_text;
 
@@ -97,7 +97,7 @@ sub canedit ($$$) {
 	my $cgi=shift;
 	my $session=shift;
 
-	if (! defined $cgi->remote_user() &&
+	if (! length $cgi->remote_user() &&
 	    (! defined $session->param("name") ||
              ! IkiWiki::userinfo_get($session->param("name"), "regdate")) &&
 	    defined $config{httpauth_pagespec} &&

debian/changelog

@@ -3,6 +3,9 @@ ikiwiki (3.20170112) UNRELEASED; urgency=medium
   * t/git-cgi.t: Wait 1 second before doing a revert that should work.
     This hopefully fixes a race condition in which the test failed
     around 6% of the time. (Closes: 862494)
+  * Guard against set-but-empty REMOTE_USER CGI variable on
+    misconfigured nginx servers, and in general treat sessions with
+    a set-but-empty name as if they were not signed in.
 
  -- Simon McVittie <smcv@debian.org>  Sun, 14 May 2017 15:34:52 +0100
 

doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn

@@ -81,6 +81,10 @@ It seems I can't log out from nowhere. I've rebuild the wiki from the command li
 > with one of a limited set of authorized usernames.
 >
 > --[[smcv]]
+>
+>> If my theory is correct, ikiwiki git master now works around this, and the
+>> [[plugins/httpauth]] documentation now recommends a more correct configuration.
+>> --[[smcv]]
 
 ---