ID: 20088
User updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Bogus
Bug Type: HTTP related
Operating System: SuSE Linux 7.2
PHP Version: 4.2.3
New Comment:
The patch I applied to the source was on the recommendation of php.net
developers who said that the exact same patch would soon make it into
the main tree. Therefore I assumed they recognised the original
behaviour with revelation of kerberos passwords as a genuine bug.
Hence, with the patch applied I am now reporting that the custom
authentication method fails.
Sorry for being thick, but have I missed something?
Previous Comments:
------------------------------------------------------------------------
[2002-10-27 21:25:19] [EMAIL PROTECTED]
Err, you have created a bug by modifying the PHP source, trying to fix
another bug? Why did you report this bug - anyhow, its marked bogus :)
------------------------------------------------------------------------
[2002-10-27 10:49:56] [EMAIL PROTECTED]
Yes, register_globals is on. Did your test system have similar modules
(eg mod_auth_kerb etc) installed?
------------------------------------------------------------------------
[2002-10-25 12:44:04] [EMAIL PROTECTED]
Works fine here. Do you have 'register_globals=On' ??
------------------------------------------------------------------------
[2002-10-25 10:36:35] [EMAIL PROTECTED]
The following code:
<?php
// File Name: auth01.php
// Check to see if $PHP_AUTH_USER already contains info
if (!isset($PHP_AUTH_USER)) {
// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('HTTP/1.0 401 Unauthorized');
phpinfo();
exit;
}
// If not empty, display values for variables
else {
echo "
<P>You have entered this username: $PHP_AUTH_USER<br>
You have entered this password: $PHP_AUTH_PW<br>
The authorization type is: $PHP_AUTH_TYPE</p>
";
}
?>
....fails. I believe the reason for this is that I have made the
following change to the PHP source:
--- php/sapi/apache/mod_php4.c.paj00 Tue Sep 10 13:59:06 2002
+++ php/sapi/apache/mod_php4.c Tue Sep 10 13:59:17 2002
@@ -434,7 +434,7 @@
authorization = table_get(r->headers_in,
"Authorization");
}
if (authorization
-/* && !auth_type(r) */
+ && !auth_type(r)
&& !strcasecmp(getword(r->pool, &authorization, ' '),
"Basic")) {
tmp = uudecode(r->pool, authorization);
SG(request_info).auth_user = getword_nulls_nc(r->pool,
&tmp, ':');
I have made this change because of Bug #18391. However, custom
authentication methods, an example of which is entered above, now fail.
I would imagine that the two are linked.
As we use mod_auth_kerb I will not remove this patch because otherwise
we leave ourselves quite open to attack from the inside. Any
suggestions on how to get custom authentication working alongside the
increased kerberos security?
Thanks,
Paul
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=20088&edit=1
