From: kabute at gulo dot org Operating system: GNU/Linux (Debian) PHP version: 5.2.8 PHP Bug Type: Apache2 related Bug description: Problem with .htaccess, high consumption of resources , probable DOS
Description: ------------ If you create a directory with a .htaccess and a .htpassword inside (and Apache2 correctly configured), and you create a .php file with the next code: <?php $user = $_SERVER['PHP_AUTH_USER']; $pass = $_SERVER['PHP_AUTH_PW']; $validated = ($user=="user") && (($pass) == "pass"); if (!$validated) { header('WWW-Authenticate: Basic realm="Realm"'); header('HTTP/1.0 401 Unauthorized'); die ("Authentification failed."); } ?> In the second authetification the browser will start loading the page waiting for response. Looking at the apache's error log it will show an "user not found" error. I've tried it with PHP 5.2.6 and PHP 5.2.7 . Reproduce code: --------------- <?php //Remember to create .htaccess and .htpasswd $user = $_SERVER['PHP_AUTH_USER']; $pass = $_SERVER['PHP_AUTH_PW']; $validated = ($user=="user") && (($pass) == "pass"); if (!$validated) { header('WWW-Authenticate: Basic realm="Realm"'); header('HTTP/1.0 401 Unauthorized'); die ("Authentification failed."); } ?> Expected result: ---------------- Resources comsuption, maybe DOS. Actual result: -------------- Very high memory load. -- Edit bug report at http://bugs.php.net/?id=47116&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=47116&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=47116&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=47116&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=47116&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=47116&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=47116&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=47116&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=47116&r=needscript Try newer version: http://bugs.php.net/fix.php?id=47116&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=47116&r=support Expected behavior: http://bugs.php.net/fix.php?id=47116&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=47116&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=47116&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=47116&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=47116&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=47116&r=dst IIS Stability: http://bugs.php.net/fix.php?id=47116&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=47116&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=47116&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=47116&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=47116&r=mysqlcfg