Bug #14370 Updated: PHP_AUTH_PW being improperly set

2002-03-11 Thread php4 

 ID:   14370
 Updated by:   [EMAIL PROTECTED]
 Reported By:  [EMAIL PROTECTED]
 Status:   Open
 Bug Type: Apache related
 Operating System: FreeBSD
 PHP Version:  4.0.6
 New Comment:

The following patch solves this bug by not exporting the PHP_AUTH_*
variables if safe_mode is set.

===8<
--- php-4.1.2/main/main.c.orig-securevars   Mon Dec 17 22:19:51
2001
+++ php-4.1.2/main/main.c   Mon Mar 11 07:34:40 2002
@@ -1031,10 +1031,10 @@
}
 
/* PHP Authentication support */
-   if (SG(request_info).auth_user) {
+   if (!PG(safe_mode) && SG(request_info).auth_user) {
php_register_variable("PHP_AUTH_USER",
SG(request_info).auth_user, array_ptr TSRMLS_CC);
}
-   if (SG(request_info).auth_password) {
+   if (!PG(safe_mode) && SG(request_info).auth_password) {
php_register_variable("PHP_AUTH_PW",
SG(request_info).auth_password, array_ptr TSRMLS_CC);
}
 }


Previous Comments:


[2002-03-11 07:36:53] [EMAIL PROTECTED]

The following patch solves this bug by not exporting the PHP_AUTH_*
variables when safe_mode is set.

===8<
--- php-4.1.2/main/main.c.orig-securevars   Mon Dec 17 22:19:51
2001
+++ php-4.1.2/main/main.c   Mon Mar 11 07:34:40 2002
@@ -1031,10 +1031,10 @@
}
 
/* PHP Authentication support */
-   if (SG(request_info).auth_user) {
+   if (!PG(safe_mode) && SG(request_info).auth_user) {
php_register_variable("PHP_AUTH_USER",
SG(request_info).auth_user, array_ptr TSRMLS_CC);
}
-   if (SG(request_info).auth_password) {
+   if (!PG(safe_mode) && SG(request_info).auth_password) {
php_register_variable("PHP_AUTH_PW",
SG(request_info).auth_password, array_ptr TSRMLS_CC);
}
 }



[2001-12-06 19:34:29] [EMAIL PROTECTED]

PHP_AUTH_PW is being improperly set when external authentication is
active
on Apache.

I have a directory structure that is protected via Apache
authentication, according
to the PHP documentation the PHP_AUTH_PW should not be available when
external authentication is in use.  This is necessary for security
concerns when you
cannot trust the php applications.  In any case, w/ php the AUTH_PW is
being
set at all times.  Please fix, thanks!




-- 
Edit this bug report at http://bugs.php.net/?id=14370&edit=1

Bug #14370 Updated: PHP_AUTH_PW being improperly set

2002-03-11 Thread php4 

 ID:   14370
 Updated by:   [EMAIL PROTECTED]
 Reported By:  [EMAIL PROTECTED]
 Status:   Open
 Bug Type: Apache related
 Operating System: FreeBSD
 PHP Version:  4.0.6
 New Comment:

The following patch solves this bug by not exporting the PHP_AUTH_*
variables when safe_mode is set.

===8<
--- php-4.1.2/main/main.c.orig-securevars   Mon Dec 17 22:19:51
2001
+++ php-4.1.2/main/main.c   Mon Mar 11 07:34:40 2002
@@ -1031,10 +1031,10 @@
}
 
/* PHP Authentication support */
-   if (SG(request_info).auth_user) {
+   if (!PG(safe_mode) && SG(request_info).auth_user) {
php_register_variable("PHP_AUTH_USER",
SG(request_info).auth_user, array_ptr TSRMLS_CC);
}
-   if (SG(request_info).auth_password) {
+   if (!PG(safe_mode) && SG(request_info).auth_password) {
php_register_variable("PHP_AUTH_PW",
SG(request_info).auth_password, array_ptr TSRMLS_CC);
}
 }


Previous Comments:


[2001-12-06 19:34:29] [EMAIL PROTECTED]

PHP_AUTH_PW is being improperly set when external authentication is
active
on Apache.

I have a directory structure that is protected via Apache
authentication, according
to the PHP documentation the PHP_AUTH_PW should not be available when
external authentication is in use.  This is necessary for security
concerns when you
cannot trust the php applications.  In any case, w/ php the AUTH_PW is
being
set at all times.  Please fix, thanks!




-- 
Edit this bug report at http://bugs.php.net/?id=14370&edit=1