Bug #14370 Updated: PHP_AUTH_PW being improperly set

php4 Mon, 11 Mar 2002 04:20:09 -0800

 ID:               14370
 Updated by:       [EMAIL PROTECTED]
 Reported By:      [EMAIL PROTECTED]
 Status:           Open
 Bug Type:         Apache related
 Operating System: FreeBSD
 PHP Version:      4.0.6
 New Comment:


The following patch solves this bug by not exporting the PHP_AUTH_*
variables if safe_mode is set.

===8<====================================================
--- php-4.1.2/main/main.c.orig-securevars       Mon Dec 17 22:19:51
2001
+++ php-4.1.2/main/main.c       Mon Mar 11 07:34:40 2002
@@ -1031,10 +1031,10 @@
        }
 
        /* PHP Authentication support */
-       if (SG(request_info).auth_user) {
+       if (!PG(safe_mode) && SG(request_info).auth_user) {
                php_register_variable("PHP_AUTH_USER",
SG(request_info).auth_user, array_ptr TSRMLS_CC);
        }
-       if (SG(request_info).auth_password) {
+       if (!PG(safe_mode) && SG(request_info).auth_password) {
                php_register_variable("PHP_AUTH_PW",
SG(request_info).auth_password, array_ptr TSRMLS_CC);
        }
 }


Previous Comments:
------------------------------------------------------------------------

[2002-03-11 07:36:53] [EMAIL PROTECTED]

The following patch solves this bug by not exporting the PHP_AUTH_*
variables when safe_mode is set.

===8<====================================================
--- php-4.1.2/main/main.c.orig-securevars       Mon Dec 17 22:19:51
2001
+++ php-4.1.2/main/main.c       Mon Mar 11 07:34:40 2002
@@ -1031,10 +1031,10 @@
        }
 
        /* PHP Authentication support */
-       if (SG(request_info).auth_user) {
+       if (!PG(safe_mode) && SG(request_info).auth_user) {
                php_register_variable("PHP_AUTH_USER",
SG(request_info).auth_user, array_ptr TSRMLS_CC);
        }
-       if (SG(request_info).auth_password) {
+       if (!PG(safe_mode) && SG(request_info).auth_password) {
                php_register_variable("PHP_AUTH_PW",
SG(request_info).auth_password, array_ptr TSRMLS_CC);
        }
 }

------------------------------------------------------------------------

[2001-12-06 19:34:29] [EMAIL PROTECTED]

PHP_AUTH_PW is being improperly set when external authentication is
active
on Apache.

I have a directory structure that is protected via Apache
authentication, according
to the PHP documentation the PHP_AUTH_PW should not be available when
external authentication is in use.  This is necessary for security
concerns when you
cannot trust the php applications.  In any case, w/ php the AUTH_PW is
being
set at all times.  Please fix, thanks!

------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=14370&edit=1

Bug #14370 Updated: PHP_AUTH_PW being improperly set

Reply via email to