ID: 32392
User updated by: lacak at users dot sourceforge dot net
Reported By: lacak at users dot sourceforge dot net
-Status: Bogus
+Status: Open
Bug Type: Feature/Change Request
Operating System: Win
PHP Version: 4.3.10
New Comment:
Please reply ...
Previous Comments:
------------------------------------------------------------------------
[2005-03-21 11:58:27] lacak at users dot sourceforge dot net
Thank you rasmus, for reply :
1. So how can I use "HTTP Digest Authorization" in PHP script ? (is it
inpossible ? really is no solution, todasy ? or in the future ?)
2. Why is it security problem ? When safe_mode=on, then uid is added to
realm, so other scripts on same shared (ISP) server cannot simulate the
same realm and so steal passwords ?
And at other : when I use "HTTP Basic Authorization", then
$_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] are set (so may
be steal) when safe_mode=on, but header Authorization is not set.
------------------------------------------------------------------------
[2005-03-21 10:31:21] [EMAIL PROTECTED]
That would allow you to steal passwords from other scripts on the same
shared server which is exactly what safemode is designed to counteract.
So no, this won't change.
------------------------------------------------------------------------
[2005-03-21 09:23:48] lacak at users dot sourceforge dot net
Description:
------------
Help PHP Developers, please, please
if PHP is running as Apache module in safe_mode=on
in result of function apache_request_headers() is not included
Authorization header.
When I use "HTTP Digest Authorization" in my PHP script I cannot
validate clients response, because I can not obtain supplied
Authorization header.
Please change behavior of apache_request_headers(), so it hides
Authorization header only if :
(safe_mode=on) && (AuthType is set to [Basic|Digest] in httpd.conf or
.htaccess)
so only if Apache performs authentication
Please rply ...
Thank you
Reproduce code:
---------------
Sample code :
<?php
$headers=apache_request_headers();
if (isset($headers["Authorization"]) {
print_r($headers);
phpinfo();
exit;
}
if (isset($_SERVER["PHP_AUTH_USER"])) {
echo $_SERVER["PHP_AUTH_USER"].":".$_SERVER["PHP_AUTH_PW"];
print_r(apache_request_headers());
phpinfo();
exit;
}
if (!empty($_SERVER["REMOTE_IDENT"])) {
echo $_SERVER["REMOTE_IDENT"];
print_r(apache_request_headers());
phpinfo();
exit;
}
if (!empty($_SERVER["Authorization"])) {
echo $_SERVER["Authorization"];
print_r(apache_request_headers());
phpinfo();
exit;
}
Header( "HTTP/1.0 401 Unauthorized");
Header( "WWW-Authenticate: Digest realm=\"www.myrealm.com\",
opaque=\"opaque\", nonce=\"nonce\", stale=\"false\", qop=\"auth\"");
print_r(getallheaders());
exit;
?>
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=32392&edit=1
