#32332 [Opn]: In safe mode, Authorization headers are not accesible

Thu, 17 Mar 2005 22:38:33 -0800 

 ID:               32332
 User updated by:  lacak at users dot sourceforge dot net
-Reported By:      lacak at sourceforge dot net
+Reported By:      lacak at users dot sourceforge dot net
 Status:           Open
 Bug Type:         Feature/Change Request
 Operating System: ANY
 PHP Version:      4.3.10
 New Comment:

if PHP is running as Apache module in safe_mode=On and I use "HTTP
Digest Authorization",
 there is no possibility obtain supplied Authorization
header.

When I use apache_request_headers() function, Authorization header is
not included (if safe_mode=On)!

So I can not authenticate request.


Previous Comments:
------------------------------------------------------------------------

[2005-03-18 07:35:37] lacak at users dot sourceforge dot net

if safe_mode=On there is no possibility to obtain HTTP Authorization
header, so no validation can be make.

The solution : why not include Authorization header in
$_SERVER["Authorization"] ... ?

Sample code :
<?php
//phpinfo();

 if (isset($_SERVER["PHP_AUTH_USER"])) {
  echo $_SERVER["PHP_AUTH_USER"].":".$_SERVER["PHP_AUTH_PW"];
  print_r(apache_request_headers());
  phpinfo();
  exit;
 }

 if (!empty($_SERVER["REMOTE_IDENT"])) {
  echo $_SERVER["REMOTE_IDENT"];
  print_r(apache_request_headers());
  phpinfo();
  exit;
 }

 if (!empty($_SERVER["Authorization"])) {
  echo $_SERVER["Authorization"];
  print_r(apache_request_headers());
  phpinfo();
  exit;
 }

  Header( "HTTP/1.0 401 Unauthorized");
  Header( "WWW-Authenticate: Digest realm=\"www.horiaciker.sk\",
opaque=\"opaque\", nonce=\"nonce\", stale=\"false\", qop=\"auth\"");
  Header( "WWW-Authenticate: Basic realm=\"www.horiaciker.sk\"",
false);
  echo "K prístupu je potrebné zadať platný login a heslo\n";
  print_r(getallheaders());
  exit;
?>

------------------------------------------------------------------------

[2005-03-16 13:09:38] lacak at users dot sourceforge dot net

Description:
------------
if PHP is running as Apache module in safe mode and I use "Digest
Authorization", there is no possibility obtain supplied Authorization
header.

When I use apache_request_headers() function, Authorization header is
not included !

So I can not authenticate request.




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=32332&edit=1

Reply via email to