Setting the Password to an arbitrary value was dumb.

Author: Zegnat

index.php

@@ -59,22 +59,27 @@
 
 /**
  * Double check if a password has been configured. If there has not and we are
- * testing the server, exit with HTTP code 401. Otherwise treat it as an empty
- * string.
+ * testing the server, exit with HTTP code 401.
  */
-if (!isset($Password) || !is_string($Password)) {
+if (
+    $testing &&
+    (
+        !isset($Password) ||
+        !is_string($Password)
+    )
+) {
     if ($testing) {
         header($protocol . ' 401 Unauthorized');
         exit();
     }
-    $Password = '';
 }
 
 /**
  * If the client did not submit a password, or the submitted password did not
  * match this server's password, exit with HTTP code 403.
  */
 if (
+    !isset($Password) ||
     !isset($_POST['password']) ||
     $_POST['password'] !== hash('sha512', $Password)
 ) {