On Sun, 17 Nov 2002, Rasmus Lerdorf wrote: > I'm still not overly convinced that this isn't a restriction that should > only kick in when safe_mode or open_basedir is active. This change is > going to break working code and it is not a security fix on non-shared > servers.
True, but it was clearly documented that it shouldn't work. Do we really have to make a feature out of every bug? I'd say no... Derick > > ID: 20461 > > Updated by: [EMAIL PROTECTED] > > Reported By: [EMAIL PROTECTED] > > -Status: Open > > +Status: Bogus > > Bug Type: Apache related > > Operating System: Linux 2.4.8 > > PHP Version: 4CVS-2002-11-17 > > New Comment: > > > > Then that is an external auth mechanism and means this > > is not a bug in PHP: > > > > From: http://www.php.net/manual/en/features.http-auth.php > > > > "In order to prevent someone from writing a script which > > reveals the password for a page that was authenticated > > through a traditional external mechanism, the > > PHP_AUTH variables will not be set if external > > authentication is enabled for that particular page. In this > > case, REMOTE_USER can be used to identify the > > externally-authenticated user. So, $_SERVER['REMOTE_USER']. > > > > Configuration Note: PHP uses the presence of an AuthType > > directive to determine whether external authentication is in > > effect. Remember to avoid this directive for the context > > where you want to use PHP authentication (otherwise each > > authentication attempt will fail). > > " > > > > There was a bug in previous PHP 4 versions which let the > > external authenticated usernames and passwords to be revealed for > > scripts. This is fixed in PHP 4.3.0. > > > > (btw. you really should upgrade your apache to 1.3.27! And forget > > Apache2, it really is not ready for production use) > > > > > > > > > > Previous Comments: > > ------------------------------------------------------------------------ > > > > [2002-11-17 22:45:43] [EMAIL PROTECTED] > > > > forgot to answer your other question.. using apache 1.3.20 -- been > > wanting to upgrade to 2.0 but have had a whole different set of > > problems w/ that, so taking things one step at a time... > > > > ------------------------------------------------------------------------ > > > > [2002-11-17 22:43:25] [EMAIL PROTECTED] > > > > tried using $_SERVER already, no dice. > > > > i meant using the mod_auth module in apache to protect certain > > directories.. when those directories are accessed, the browser pops up > > a window for the user to enter in their username/password for that > > resource... > > > > ------------------------------------------------------------------------ > > > > [2002-11-17 22:23:00] [EMAIL PROTECTED] > > > > I can not reproduce this, it works fine here. > > Try accessing the variables through $_SERVER variable: > > > > $_SERVER['PHP_AUTH_USER'] > > $_SERVER['PHP_AUTH_PW'] > > > > And what Apache version are you using? > > What do you mean with "regular http authentication through apache" ?? > > > > > > ------------------------------------------------------------------------ > > > > [2002-11-17 22:09:27] [EMAIL PROTECTED] > > > > not using any external auth... simply using regular http authentication > > through apache... certain directories on the webserver are protected, > > and so it pops up the box asking the user for username/password.. and > > then rather then ask them AGAIN for a login for some of my web-based > > apps, i simply pass the http auth info (via $PHP_AUTH_USER and > > $PHP_AUTH_PW) along to these apps. the only problem is, those 2 > > variables don't seem to exist anymore for me. nothing has changed in > > my configuration except for the fact that i'm now using the cvs version > > of php as opposed to 4.2.3 (if you read in my original bug report it > > explains why). > > > > ------------------------------------------------------------------------ > > > > [2002-11-17 20:13:05] [EMAIL PROTECTED] > > > > Are you using some external auth mechanism? > > > > > > ------------------------------------------------------------------------ > > > > The remainder of the comments for this report are too long. To view > > the rest of the comments, please view the bug report online at > > http://bugs.php.net/20461 > > > > -- > > Edit this bug report at http://bugs.php.net/?id=20461&edit=1 > > > > > -- > PHP Development Mailing List <http://www.php.net/> > To unsubscribe, visit: http://www.php.net/unsub.php > -- --------------------------------------------------------------------------- Derick Rethans http://derickrethans.nl/ JDI Media Solutions --------------[ if you hold a unix shell to your ear, do you hear the c? ]- -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php