#35752 [Com]: PHP_AUTH_USER and PHP_AUTH_PW not available when using FastCGI

Thu, 30 Nov 2006 19:06:55 -0800 

 ID:               35752
 Comment by:       phpbugs at thequod dot de
 Reported By:      fcu-phpbugs at no-way dot org
 Status:           Assigned
 Bug Type:         Feature/Change Request
 Operating System: All
 PHP Version:      4.4.2RC1
 Assigned To:      dmitry
 New Comment:

Even with patching PHP to use "Authorization", it does not 
work.

I've added "-pass-header Authorization" to the 
FastCgiServer (mod_fastcgi) configuration and get the 
following:
_SERVER["Authorization"] => "Basic ZGFuaWVsOmxzZDQy"

But this gets ignored (as it seems) by 
php_handle_auth_data(), because there's no user in there.

I'm wondering though, why "Authorization" gets passed by 
Apache though, because SECURITY_HOLE_PASS_AUTHORIZATION 
does not seem to be defined and therefor "Authorization" 
should not be passed on to CGIs..?!

-----------------------------
"Authorization" patch for PHP:
--- sapi/cgi/cgi_main.c 15 Nov 2006 13:33:41 -0000      
1.267.2.15.2.18
+++ sapi/cgi/cgi_main.c 30 Nov 2006 02:18:13 -0000
@@ -972,7 +972,7 @@
                SG(request_info).content_length = 
(content_length ? atoi(content_length) : 0);

                /* The CGI RFC allows servers to pass on 
unvalidated Authorization data */
-               auth = 
sapi_cgibin_getenv("HTTP_AUTHORIZATION", 
sizeof("HTTP_AUTHORIZATION")-1 TSRMLS_CC);
+               auth = sapi_cgibin_getenv("Authorization", 
sizeof("Authorization")-1 TSRMLS_CC);
                php_handle_auth_data(auth TSRMLS_CC);
        }
 }
-----------------------------


Previous Comments:
------------------------------------------------------------------------

[2006-01-02 16:20:41] [EMAIL PROTECTED]

Also this behaviour is seen in PHP 5.1.1 run under FastCGI.

------------------------------------------------------------------------

[2005-12-20 22:28:30] fcu-phpbugs at no-way dot org

Description:
------------
When using Apache's Basic Auth together with php in FastCGI Mode, the
credentials of the User do not get passed to the PHP Script.

When I configure FastCGI to pass the Authentication Headers
(-pass-header Authorization), these get passed to the script, but they
are ignored by PHP.

This is because in cgi_main.c only the Env-Var "HTTP_AUTHORIZATION"
gets checked and not "Authorization" which seems to be the correct
Header value (at least with apache2).

All the apache Handler correctly use that header to set the
Authentication Env-Vars.

Could the cgi handler also check for that header?



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=35752&edit=1

Reply via email to