ID: 20088 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Bogus Bug Type: HTTP related Operating System: SuSE Linux 7.2 PHP Version: 4.2.3 New Comment:
Err, you have created a bug by modifying the PHP source, trying to fix another bug? Why did you report this bug - anyhow, its marked bogus :) Previous Comments: ------------------------------------------------------------------------ [2002-10-27 10:49:56] [EMAIL PROTECTED] Yes, register_globals is on. Did your test system have similar modules (eg mod_auth_kerb etc) installed? ------------------------------------------------------------------------ [2002-10-25 12:44:04] [EMAIL PROTECTED] Works fine here. Do you have 'register_globals=On' ?? ------------------------------------------------------------------------ [2002-10-25 10:36:35] [EMAIL PROTECTED] The following code: <?php // File Name: auth01.php // Check to see if $PHP_AUTH_USER already contains info if (!isset($PHP_AUTH_USER)) { // If empty, send header causing dialog box to appear header('WWW-Authenticate: Basic realm="My Private Stuff"'); header('HTTP/1.0 401 Unauthorized'); phpinfo(); exit; } // If not empty, display values for variables else { echo " <P>You have entered this username: $PHP_AUTH_USER<br> You have entered this password: $PHP_AUTH_PW<br> The authorization type is: $PHP_AUTH_TYPE</p> "; } ?> ....fails. I believe the reason for this is that I have made the following change to the PHP source: --- php/sapi/apache/mod_php4.c.paj00 Tue Sep 10 13:59:06 2002 +++ php/sapi/apache/mod_php4.c Tue Sep 10 13:59:17 2002 @@ -434,7 +434,7 @@ authorization = table_get(r->headers_in, "Authorization"); } if (authorization -/* && !auth_type(r) */ + && !auth_type(r) && !strcasecmp(getword(r->pool, &authorization, ' '), "Basic")) { tmp = uudecode(r->pool, authorization); SG(request_info).auth_user = getword_nulls_nc(r->pool, &tmp, ':'); I have made this change because of Bug #18391. However, custom authentication methods, an example of which is entered above, now fail. I would imagine that the two are linked. As we use mod_auth_kerb I will not remove this patch because otherwise we leave ourselves quite open to attack from the inside. Any suggestions on how to get custom authentication working alongside the increased kerberos security? Thanks, Paul ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=20088&edit=1