ID: 35752
Comment by: airmax at trolleur dot net
Reported By: fcu-phpbugs at no-way dot org
Status: Assigned
Bug Type: Feature/Change Request
Operating System: All
PHP Version: 4.4.2RC1
Assigned To: dmitry
New Comment:
Same behaviour with both PHP 4.4.9 & 5.2.0 using Apache 2.2.9.
Of course I could patch cgi_main.c but I have an other work-around. I
created which is called using the auto_prepend_file feature in php.ini.
<?php
// maybe we have caught authentication data in
$_SERVER['Authorization']
if((!$_SERVER['PHP_AUTH_USER'] || !$_SERVER['PHP_AUTH_USER'])
&& preg_match('/Basic\s+(.*)$/i', $_SERVER['Authorization'],
$matches)) {
list($name, $password) = explode(':', base64_decode($matches[1]));
$_SERVER['PHP_AUTH_USER'] = strip_tags($name);
$_SERVER['PHP_AUTH_PW'] = strip_tags($password);
}
?>
Works with both PHP 4.4 & 5.2. But it would be very for someone with
CVS write access to patch this for newer releases :)
The "Authorization" header gets passed from Apache to the fastcgi
server because that's exactly what the -pass-header option means :)
(allow to pass some headers to FastCGI that aren't supposed to).
Previous Comments:
------------------------------------------------------------------------
[2007-03-25 16:37:25] phpbugs at thequod dot de
Any progress on this one? It's still the case with PHP5-CVS.
------------------------------------------------------------------------
[2006-11-30 03:47:22] phpbugs at thequod dot de
Hmm.. I'm dumb.
1. The above contains the user and password
2. I've forgotten to replace the patched php binary
But still, I'm wondering why "Authorization" gets passed
from Apache to the fastcgi server (but that's no PHP
problem and actually good).
(Would someone be so kind and "starify" the above
user/password data?)
------------------------------------------------------------------------
[2006-11-30 03:29:56] phpbugs at thequod dot de
Even with patching PHP to use "Authorization", it does not
work.
I've added "-pass-header Authorization" to the
FastCgiServer (mod_fastcgi) configuration and get the
following:
_SERVER["Authorization"] => "Basic ZGFuaWVsOmxzZDQy"
But this gets ignored (as it seems) by
php_handle_auth_data(), because there's no user in there.
I'm wondering though, why "Authorization" gets passed by
Apache though, because SECURITY_HOLE_PASS_AUTHORIZATION
does not seem to be defined and therefor "Authorization"
should not be passed on to CGIs..?!
-----------------------------
"Authorization" patch for PHP:
--- sapi/cgi/cgi_main.c 15 Nov 2006 13:33:41 -0000
1.267.2.15.2.18
+++ sapi/cgi/cgi_main.c 30 Nov 2006 02:18:13 -0000
@@ -972,7 +972,7 @@
SG(request_info).content_length =
(content_length ? atoi(content_length) : 0);
/* The CGI RFC allows servers to pass on
unvalidated Authorization data */
- auth =
sapi_cgibin_getenv("HTTP_AUTHORIZATION",
sizeof("HTTP_AUTHORIZATION")-1 TSRMLS_CC);
+ auth = sapi_cgibin_getenv("Authorization",
sizeof("Authorization")-1 TSRMLS_CC);
php_handle_auth_data(auth TSRMLS_CC);
}
}
-----------------------------
------------------------------------------------------------------------
[2006-01-02 16:20:41] [EMAIL PROTECTED]
Also this behaviour is seen in PHP 5.1.1 run under FastCGI.
------------------------------------------------------------------------
[2005-12-20 22:28:30] fcu-phpbugs at no-way dot org
Description:
------------
When using Apache's Basic Auth together with php in FastCGI Mode, the
credentials of the User do not get passed to the PHP Script.
When I configure FastCGI to pass the Authentication Headers
(-pass-header Authorization), these get passed to the script, but they
are ignored by PHP.
This is because in cgi_main.c only the Env-Var "HTTP_AUTHORIZATION"
gets checked and not "Authorization" which seems to be the correct
Header value (at least with apache2).
All the apache Handler correctly use that header to set the
Authentication Env-Vars.
Could the cgi handler also check for that header?
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=35752&edit=1
