ID: 32392
Updated by: [EMAIL PROTECTED]
Reported By: lacak at users dot sourceforge dot net
-Status: Open
+Status: Bogus
Bug Type: Feature/Change Request
Operating System: Win
PHP Version: 4.3.10
New Comment:
That would allow you to steal passwords from other scripts on the same
shared server which is exactly what safemode is designed to counteract.
So no, this won't change.
Previous Comments:
------------------------------------------------------------------------
[2005-03-21 09:23:48] lacak at users dot sourceforge dot net
Description:
------------
Help PHP Developers, please, please
if PHP is running as Apache module in safe_mode=on
in result of function apache_request_headers() is not included
Authorization header.
When I use "HTTP Digest Authorization" in my PHP script I cannot
validate clients response, because I can not obtain supplied
Authorization header.
Please change behavior of apache_request_headers(), so it hides
Authorization header only if :
(safe_mode=on) && (AuthType is set to [Basic|Digest] in httpd.conf or
.htaccess)
so only if Apache performs authentication
Please rply ...
Thank you
Reproduce code:
---------------
Sample code :
<?php
$headers=apache_request_headers();
if (isset($headers["Authorization"]) {
print_r($headers);
phpinfo();
exit;
}
if (isset($_SERVER["PHP_AUTH_USER"])) {
echo $_SERVER["PHP_AUTH_USER"].":".$_SERVER["PHP_AUTH_PW"];
print_r(apache_request_headers());
phpinfo();
exit;
}
if (!empty($_SERVER["REMOTE_IDENT"])) {
echo $_SERVER["REMOTE_IDENT"];
print_r(apache_request_headers());
phpinfo();
exit;
}
if (!empty($_SERVER["Authorization"])) {
echo $_SERVER["Authorization"];
print_r(apache_request_headers());
phpinfo();
exit;
}
Header( "HTTP/1.0 401 Unauthorized");
Header( "WWW-Authenticate: Digest realm=\"www.myrealm.com\",
opaque=\"opaque\", nonce=\"nonce\", stale=\"false\", qop=\"auth\"");
print_r(getallheaders());
exit;
?>
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=32392&edit=1
