ID: 20088
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Open
+Status: Feedback
-Bug Type: Unknown/Other Function
+Bug Type: HTTP related
Operating System: SuSE Linux 7.2
PHP Version: 4.2.3
New Comment:
Works fine here. Do you have 'register_globals=On' ??
Previous Comments:
------------------------------------------------------------------------
[2002-10-25 10:36:35] [EMAIL PROTECTED]
The following code:
<?php
// File Name: auth01.php
// Check to see if $PHP_AUTH_USER already contains info
if (!isset($PHP_AUTH_USER)) {
// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('HTTP/1.0 401 Unauthorized');
phpinfo();
exit;
}
// If not empty, display values for variables
else {
echo "
<P>You have entered this username: $PHP_AUTH_USER<br>
You have entered this password: $PHP_AUTH_PW<br>
The authorization type is: $PHP_AUTH_TYPE</p>
";
}
?>
....fails. I believe the reason for this is that I have made the
following change to the PHP source:
--- php/sapi/apache/mod_php4.c.paj00 Tue Sep 10 13:59:06 2002
+++ php/sapi/apache/mod_php4.c Tue Sep 10 13:59:17 2002
@@ -434,7 +434,7 @@
authorization = table_get(r->headers_in,
"Authorization");
}
if (authorization
-/* && !auth_type(r) */
+ && !auth_type(r)
&& !strcasecmp(getword(r->pool, &authorization, ' '),
"Basic")) {
tmp = uudecode(r->pool, authorization);
SG(request_info).auth_user = getword_nulls_nc(r->pool,
&tmp, ':');
I have made this change because of Bug #18391. However, custom
authentication methods, an example of which is entered above, now fail.
I would imagine that the two are linked.
As we use mod_auth_kerb I will not remove this patch because otherwise
we leave ourselves quite open to attack from the inside. Any
suggestions on how to get custom authentication working alongside the
increased kerberos security?
Thanks,
Paul
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=20088&edit=1
