Ohh, it seems we have been working on the same patch simultaneously :)
Attached is my version of fix for bug #20441, which adopts a new ini entry
"php_auth_exposure" so that administrators can selectively expose auth
information to the clients regardless of safe_mode settings.
Possible values are:
- php_auth_exposure=user
Only PHP_AUTH_USER is exposed.
- php_auth_exposure=pw
Only PHP_AUTH_PW is exposed
- php_auth_exposure=user,pw
Both PHP_AUTH_USER and PHP_AUTH_PW are exposeed
Hope this helps.
Moriyoshi
Philip Olson <[EMAIL PROTECTED]> wrote:
>
> Attatched is a patch that essentially goes back
> to 4.2.3 behavior except the external auth will not
> be available with PHP in safe mode. REMOTE_USER
> exists regardless.
>
> It seems some people also wanted an ini option, I don't
> know how to do that! :)
>
> References for this patch:
> http://bugs.php.net/20441
> http://cvs.php.net/diff.php/php4/sapi/apache/mod_php4.c?r1=1.132&r2=1.133
>
> On a related note, I'm curious why PHP_AUTH_TYPE does
> not exist, only the variable AUTH_TYPE does (for me).
> PHP_AUTH_TYPE has been documented forever, not sure if
> it used to exist but various parts of PHP4 source make
> it seem like it should.
>
> Regards,
> Philip Olson
>
> p.s. Thanks to Wez and Steph for teaching me not to fear
> the source.
>
>
> On Fri, 20 Dec 2002, Andrei Zmievski wrote:
>
> > Everyone,
> >
> > I have just released 4.3.0RC4. Despite the quote in my signature, I am
> > determined to keep this one the very last final RC of the interminable
> > 4.3.0 development cycle. Towards that end, I will closely monitor the
> > CVS commits and revert any that do not satisfactorily explain what
> > critical or showstopper bug they are fixing. I am aware that
> > PHP_AUTH_USER issue raises certain concerns, but no one apparently could
> > make a patch. If, however, one appears very soon, I may consider it a
> > special one and apply it for 4.3.0.
> >
> > -Andrei http://www.gravitonic.com/
> >
> > "The time from now until the completion
> > of the project tends to become constant." -- Douglas Hartree
> >
> > --
> > PHP Development Mailing List <http://www.php.net/>
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
>
Index: main/main.c
===================================================================
RCS file: /repository/php4/main/main.c,v
retrieving revision 1.520
diff -u -r1.520 main.c
--- main/main.c 16 Dec 2002 15:43:52 -0000 1.520
+++ main/main.c 21 Dec 2002 06:17:30 -0000
@@ -112,6 +112,9 @@
static void php_build_argv(char *s, zval *track_vars_array TSRMLS_DC);
+static PHP_INI_MH(OnUpdate_php_auth_exposure);
+#define PHP_EXPOSE_AUTH_USER 0x0001
+#define PHP_EXPOSE_AUTH_PW 0x0002
static char *short_track_vars_names[] = {
"_POST",
@@ -275,6 +278,7 @@
STD_PHP_INI_ENTRY("output_handler", NULL,
PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateString, output_handler,
php_core_globals, core_globals)
STD_PHP_INI_BOOLEAN("register_argc_argv", "1",
PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateBool, register_argc_argv,
php_core_globals, core_globals)
STD_PHP_INI_BOOLEAN("register_globals", "0",
PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateBool, register_globals,
php_core_globals, core_globals)
+ STD_PHP_INI_ENTRY("php_auth_exposure", "none",
+PHP_INI_SYSTEM, OnUpdate_php_auth_exposure, php_auth_exposure,
+php_core_globals, core_globals)
#if PHP_SAFE_MODE
STD_PHP_INI_BOOLEAN("safe_mode", "1",
PHP_INI_SYSTEM, OnUpdateBool, safe_mode,
php_core_globals, core_globals)
#else
@@ -1191,6 +1195,7 @@
SG(request_info).argv=(char **)NULL;
PG(connection_status) = PHP_CONNECTION_NORMAL;
PG(during_request_startup) = 0;
+ PG(php_auth_exposure) = 0;
CG(zend_lineno) = 0;
@@ -1378,10 +1383,12 @@
}
/* PHP Authentication support */
- if (SG(request_info).auth_user) {
+ if ((PG(php_auth_exposure) & PHP_EXPOSE_AUTH_USER) &&
+ SG(request_info).auth_user) {
php_register_variable("PHP_AUTH_USER", SG(request_info).auth_user,
array_ptr TSRMLS_CC);
}
- if (SG(request_info).auth_password) {
+ if ((PG(php_auth_exposure) & PHP_EXPOSE_AUTH_PW) &&
+ SG(request_info).auth_password) {
php_register_variable("PHP_AUTH_PW", SG(request_info).auth_password,
array_ptr TSRMLS_CC);
}
}
@@ -1820,6 +1827,66 @@
}
/* }}} */
#endif
+
+/* {{{ OnUpdate_php_auth_exposure */
+static PHP_INI_MH(OnUpdate_php_auth_exposure)
+{
+ char *comp, *p1;
+ int eos;
+ long val = 0;
+ int sp_cnt;
+
+ comp = NULL;
+
+ p1 = new_value;
+ eos = 0;
+
+ do {
+ if (*p1 == '\0') {
+ eos = 1;
+ }
+
+ if (comp == NULL) {
+ if (!eos && *p1 != ' ') {
+ comp = p1;
+ sp_cnt = 0;
+ }
+ } else {
+ if (!eos && *p1 == ' ') {
+ ++sp_cnt;
+ } else if (eos || *p1 == ',') {
+ if (comp != NULL) {
+ int comp_len = (int)(p1 - comp) - sp_cnt;
+ if (comp_len == 4 && strncasecmp(comp, "user",
+comp_len) == 0) {
+ val |= PHP_EXPOSE_AUTH_USER;
+ } else if (comp_len == 2 && strncasecmp(comp,
+"pw", comp_len) == 0) {
+ val |= PHP_EXPOSE_AUTH_PW;
+ }
+ comp = NULL;
+ }
+ } else {
+ sp_cnt = 0;
+ }
+ }
+ p1++;
+ } while (!eos);
+
+ {
+ long *p;
+ char *base;
+#ifndef ZTS
+ base = (char *) mh_arg2;
+#else
+ base = (char *) ts_resource(*((int *) mh_arg2));
+#endif
+
+ p = (long *) (base+(size_t) mh_arg1);
+
+ *p = val;
+ }
+ return SUCCESS;
+}
+/* }}} */
/*
* Local variables:
Index: main/php_globals.h
===================================================================
RCS file: /repository/php4/main/php_globals.h,v
retrieving revision 1.86
diff -u -r1.86 php_globals.h
--- main/php_globals.h 30 Nov 2002 18:36:17 -0000 1.86
+++ main/php_globals.h 21 Dec 2002 06:17:30 -0000
@@ -141,6 +141,8 @@
zend_bool always_populate_raw_post_data;
zend_bool report_zend_debug;
+
+ long php_auth_exposure;
};
Index: sapi/apache/mod_php4.c
===================================================================
RCS file: /repository/php4/sapi/apache/mod_php4.c,v
retrieving revision 1.148
diff -u -r1.148 mod_php4.c
--- sapi/apache/mod_php4.c 1 Dec 2002 03:28:21 -0000 1.148
+++ sapi/apache/mod_php4.c 21 Dec 2002 06:17:30 -0000
@@ -448,7 +448,6 @@
authorization = table_get(r->headers_in, "Authorization");
}
if (authorization
- && !auth_type(r)
&& !strcasecmp(getword(r->pool, &authorization, ' '), "Basic")) {
tmp = uudecode(r->pool, authorization);
SG(request_info).auth_user = getword_nulls_nc(r->pool, &tmp, ':');
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
