#20088 [NEW]: Custom authentication mechanism

Fri, 25 Oct 2002 08:38:26 -0700 

From:             [EMAIL PROTECTED]
Operating system: SuSE Linux 7.2
PHP version:      4.2.3
PHP Bug Type:     Unknown/Other Function
Bug description:  Custom authentication mechanism

The following code:

<?php

// File Name: auth01.php
// Check to see if $PHP_AUTH_USER already contains info

if (!isset($PHP_AUTH_USER)) {

// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('HTTP/1.0 401 Unauthorized');
phpinfo();
exit;
}

// If not empty, display values for variables

else {

echo "
<P>You have entered this username: $PHP_AUTH_USER<br>
You have entered this password: $PHP_AUTH_PW<br>
The authorization type is: $PHP_AUTH_TYPE</p>
";

}

?>

....fails. I believe the reason for this is that I have made the following
change to the PHP source:

--- php/sapi/apache/mod_php4.c.paj00    Tue Sep 10 13:59:06 2002
+++ php/sapi/apache/mod_php4.c  Tue Sep 10 13:59:17 2002
@@ -434,7 +434,7 @@
                authorization = table_get(r->headers_in,
"Authorization");
        }
        if (authorization
-/*             && !auth_type(r) */
+               && !auth_type(r) 
                && !strcasecmp(getword(r->pool, &authorization, ' '),
"Basic")) {
                tmp = uudecode(r->pool, authorization);
                SG(request_info).auth_user = getword_nulls_nc(r->pool,
&tmp, ':');

I have made this change because of Bug #18391. However, custom
authentication methods, an example of which is entered above, now fail. I
would imagine that the two are linked. 

As we use mod_auth_kerb I will not remove this patch because otherwise we
leave ourselves quite open to attack from the inside. Any suggestions on
how to get custom authentication working alongside the increased kerberos
security?

Thanks,


Paul
-- 
Edit bug report at http://bugs.php.net/?id=20088&edit=1
-- 
Try a CVS snapshot:         http://bugs.php.net/fix.php?id=20088&r=trysnapshot
Fixed in CVS:               http://bugs.php.net/fix.php?id=20088&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=20088&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=20088&r=needtrace
Try newer version:          http://bugs.php.net/fix.php?id=20088&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=20088&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=20088&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=20088&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=20088&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=20088&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=20088&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=20088&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=20088&r=isapi

Reply via email to