Ohh, it seems we have been working on the same patch simultaneously :) Attached is my version of fix for bug #20441, which adopts a new ini entry "php_auth_exposure" so that administrators can selectively expose auth information to the clients regardless of safe_mode settings.
Possible values are: - php_auth_exposure=user Only PHP_AUTH_USER is exposed. - php_auth_exposure=pw Only PHP_AUTH_PW is exposed - php_auth_exposure=user,pw Both PHP_AUTH_USER and PHP_AUTH_PW are exposeed Hope this helps. Moriyoshi Philip Olson <[EMAIL PROTECTED]> wrote: > > Attatched is a patch that essentially goes back > to 4.2.3 behavior except the external auth will not > be available with PHP in safe mode. REMOTE_USER > exists regardless. > > It seems some people also wanted an ini option, I don't > know how to do that! :) > > References for this patch: > http://bugs.php.net/20441 > http://cvs.php.net/diff.php/php4/sapi/apache/mod_php4.c?r1=1.132&r2=1.133 > > On a related note, I'm curious why PHP_AUTH_TYPE does > not exist, only the variable AUTH_TYPE does (for me). > PHP_AUTH_TYPE has been documented forever, not sure if > it used to exist but various parts of PHP4 source make > it seem like it should. > > Regards, > Philip Olson > > p.s. Thanks to Wez and Steph for teaching me not to fear > the source. > > > On Fri, 20 Dec 2002, Andrei Zmievski wrote: > > > Everyone, > > > > I have just released 4.3.0RC4. Despite the quote in my signature, I am > > determined to keep this one the very last final RC of the interminable > > 4.3.0 development cycle. Towards that end, I will closely monitor the > > CVS commits and revert any that do not satisfactorily explain what > > critical or showstopper bug they are fixing. I am aware that > > PHP_AUTH_USER issue raises certain concerns, but no one apparently could > > make a patch. If, however, one appears very soon, I may consider it a > > special one and apply it for 4.3.0. > > > > -Andrei http://www.gravitonic.com/ > > > > "The time from now until the completion > > of the project tends to become constant." -- Douglas Hartree > > > > -- > > PHP Development Mailing List <http://www.php.net/> > > To unsubscribe, visit: http://www.php.net/unsub.php > > > >
Index: main/main.c =================================================================== RCS file: /repository/php4/main/main.c,v retrieving revision 1.520 diff -u -r1.520 main.c --- main/main.c 16 Dec 2002 15:43:52 -0000 1.520 +++ main/main.c 21 Dec 2002 06:17:30 -0000 @@ -112,6 +112,9 @@ static void php_build_argv(char *s, zval *track_vars_array TSRMLS_DC); +static PHP_INI_MH(OnUpdate_php_auth_exposure); +#define PHP_EXPOSE_AUTH_USER 0x0001 +#define PHP_EXPOSE_AUTH_PW 0x0002 static char *short_track_vars_names[] = { "_POST", @@ -275,6 +278,7 @@ STD_PHP_INI_ENTRY("output_handler", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateString, output_handler, php_core_globals, core_globals) STD_PHP_INI_BOOLEAN("register_argc_argv", "1", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateBool, register_argc_argv, php_core_globals, core_globals) STD_PHP_INI_BOOLEAN("register_globals", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateBool, register_globals, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("php_auth_exposure", "none", +PHP_INI_SYSTEM, OnUpdate_php_auth_exposure, php_auth_exposure, +php_core_globals, core_globals) #if PHP_SAFE_MODE STD_PHP_INI_BOOLEAN("safe_mode", "1", PHP_INI_SYSTEM, OnUpdateBool, safe_mode, php_core_globals, core_globals) #else @@ -1191,6 +1195,7 @@ SG(request_info).argv=(char **)NULL; PG(connection_status) = PHP_CONNECTION_NORMAL; PG(during_request_startup) = 0; + PG(php_auth_exposure) = 0; CG(zend_lineno) = 0; @@ -1378,10 +1383,12 @@ } /* PHP Authentication support */ - if (SG(request_info).auth_user) { + if ((PG(php_auth_exposure) & PHP_EXPOSE_AUTH_USER) && + SG(request_info).auth_user) { php_register_variable("PHP_AUTH_USER", SG(request_info).auth_user, array_ptr TSRMLS_CC); } - if (SG(request_info).auth_password) { + if ((PG(php_auth_exposure) & PHP_EXPOSE_AUTH_PW) && + SG(request_info).auth_password) { php_register_variable("PHP_AUTH_PW", SG(request_info).auth_password, array_ptr TSRMLS_CC); } } @@ -1820,6 +1827,66 @@ } /* }}} */ #endif + +/* {{{ OnUpdate_php_auth_exposure */ +static PHP_INI_MH(OnUpdate_php_auth_exposure) +{ + char *comp, *p1; + int eos; + long val = 0; + int sp_cnt; + + comp = NULL; + + p1 = new_value; + eos = 0; + + do { + if (*p1 == '\0') { + eos = 1; + } + + if (comp == NULL) { + if (!eos && *p1 != ' ') { + comp = p1; + sp_cnt = 0; + } + } else { + if (!eos && *p1 == ' ') { + ++sp_cnt; + } else if (eos || *p1 == ',') { + if (comp != NULL) { + int comp_len = (int)(p1 - comp) - sp_cnt; + if (comp_len == 4 && strncasecmp(comp, "user", +comp_len) == 0) { + val |= PHP_EXPOSE_AUTH_USER; + } else if (comp_len == 2 && strncasecmp(comp, +"pw", comp_len) == 0) { + val |= PHP_EXPOSE_AUTH_PW; + } + comp = NULL; + } + } else { + sp_cnt = 0; + } + } + p1++; + } while (!eos); + + { + long *p; + char *base; +#ifndef ZTS + base = (char *) mh_arg2; +#else + base = (char *) ts_resource(*((int *) mh_arg2)); +#endif + + p = (long *) (base+(size_t) mh_arg1); + + *p = val; + } + return SUCCESS; +} +/* }}} */ /* * Local variables: Index: main/php_globals.h =================================================================== RCS file: /repository/php4/main/php_globals.h,v retrieving revision 1.86 diff -u -r1.86 php_globals.h --- main/php_globals.h 30 Nov 2002 18:36:17 -0000 1.86 +++ main/php_globals.h 21 Dec 2002 06:17:30 -0000 @@ -141,6 +141,8 @@ zend_bool always_populate_raw_post_data; zend_bool report_zend_debug; + + long php_auth_exposure; }; Index: sapi/apache/mod_php4.c =================================================================== RCS file: /repository/php4/sapi/apache/mod_php4.c,v retrieving revision 1.148 diff -u -r1.148 mod_php4.c --- sapi/apache/mod_php4.c 1 Dec 2002 03:28:21 -0000 1.148 +++ sapi/apache/mod_php4.c 21 Dec 2002 06:17:30 -0000 @@ -448,7 +448,6 @@ authorization = table_get(r->headers_in, "Authorization"); } if (authorization - && !auth_type(r) && !strcasecmp(getword(r->pool, &authorization, ' '), "Basic")) { tmp = uudecode(r->pool, authorization); SG(request_info).auth_user = getword_nulls_nc(r->pool, &tmp, ':');
-- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php