ID: 14370 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: Apache related Operating System: FreeBSD PHP Version: 4.0.6 New Comment:
The following patch solves this bug by not exporting the PHP_AUTH_* variables when safe_mode is set. ===8<==================================================== --- php-4.1.2/main/main.c.orig-securevars Mon Dec 17 22:19:51 2001 +++ php-4.1.2/main/main.c Mon Mar 11 07:34:40 2002 @@ -1031,10 +1031,10 @@ } /* PHP Authentication support */ - if (SG(request_info).auth_user) { + if (!PG(safe_mode) && SG(request_info).auth_user) { php_register_variable("PHP_AUTH_USER", SG(request_info).auth_user, array_ptr TSRMLS_CC); } - if (SG(request_info).auth_password) { + if (!PG(safe_mode) && SG(request_info).auth_password) { php_register_variable("PHP_AUTH_PW", SG(request_info).auth_password, array_ptr TSRMLS_CC); } } Previous Comments: ------------------------------------------------------------------------ [2001-12-06 19:34:29] [EMAIL PROTECTED] PHP_AUTH_PW is being improperly set when external authentication is active on Apache. I have a directory structure that is protected via Apache authentication, according to the PHP documentation the PHP_AUTH_PW should not be available when external authentication is in use. This is necessary for security concerns when you cannot trust the php applications. In any case, w/ php the AUTH_PW is being set at all times. Please fix, thanks! ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=14370&edit=1