ID: 35752
Comment by: phpbugs at thequod dot de
Reported By: fcu-phpbugs at no-way dot org
Status: Assigned
Bug Type: Feature/Change Request
Operating System: All
PHP Version: 4.4.2RC1
Assigned To: dmitry
New Comment:
Hmm.. I'm dumb.
1. The above contains the user and password
2. I've forgotten to replace the patched php binary
But still, I'm wondering why "Authorization" gets passed
from Apache to the fastcgi server (but that's no PHP
problem and actually good).
(Would someone be so kind and "starify" the above
user/password data?)
Previous Comments:
------------------------------------------------------------------------
[2006-11-30 03:29:56] phpbugs at thequod dot de
Even with patching PHP to use "Authorization", it does not
work.
I've added "-pass-header Authorization" to the
FastCgiServer (mod_fastcgi) configuration and get the
following:
_SERVER["Authorization"] => "Basic ZGFuaWVsOmxzZDQy"
But this gets ignored (as it seems) by
php_handle_auth_data(), because there's no user in there.
I'm wondering though, why "Authorization" gets passed by
Apache though, because SECURITY_HOLE_PASS_AUTHORIZATION
does not seem to be defined and therefor "Authorization"
should not be passed on to CGIs..?!
-----------------------------
"Authorization" patch for PHP:
--- sapi/cgi/cgi_main.c 15 Nov 2006 13:33:41 -0000
1.267.2.15.2.18
+++ sapi/cgi/cgi_main.c 30 Nov 2006 02:18:13 -0000
@@ -972,7 +972,7 @@
SG(request_info).content_length =
(content_length ? atoi(content_length) : 0);
/* The CGI RFC allows servers to pass on
unvalidated Authorization data */
- auth =
sapi_cgibin_getenv("HTTP_AUTHORIZATION",
sizeof("HTTP_AUTHORIZATION")-1 TSRMLS_CC);
+ auth = sapi_cgibin_getenv("Authorization",
sizeof("Authorization")-1 TSRMLS_CC);
php_handle_auth_data(auth TSRMLS_CC);
}
}
-----------------------------
------------------------------------------------------------------------
[2006-01-02 16:20:41] [EMAIL PROTECTED]
Also this behaviour is seen in PHP 5.1.1 run under FastCGI.
------------------------------------------------------------------------
[2005-12-20 22:28:30] fcu-phpbugs at no-way dot org
Description:
------------
When using Apache's Basic Auth together with php in FastCGI Mode, the
credentials of the User do not get passed to the PHP Script.
When I configure FastCGI to pass the Authentication Headers
(-pass-header Authorization), these get passed to the script, but they
are ignored by PHP.
This is because in cgi_main.c only the Env-Var "HTTP_AUTHORIZATION"
gets checked and not "Authorization" which seems to be the correct
Header value (at least with apache2).
All the apache Handler correctly use that header to set the
Authentication Env-Vars.
Could the cgi handler also check for that header?
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=35752&edit=1
