ID: 35752
Updated by: [EMAIL PROTECTED]
Reported By: fcu-phpbugs at no-way dot org
-Status: Assigned
+Status: Bogus
Bug Type: Feature/Change Request
Operating System: All
PHP Version: 4.4.2RC1
Assigned To: dmitry
New Comment:
PHP won't support non-standard headers passed by Apache.
mod_fastcgi (or other FastCGI manager) must care about sending proper
HTTP_AUTHORIZATION header according to CGI RFC.
It is possible to configure Apache to do it using mod_rewrite.
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
Previous Comments:
------------------------------------------------------------------------
[2008-08-23 15:04:15] airmax at trolleur dot net
Same behaviour with both PHP 4.4.9 & 5.2.0 using Apache 2.2.9.
Of course I could patch cgi_main.c but I have an other work-around. I
created which is called using the auto_prepend_file feature in php.ini.
<?php
// maybe we have caught authentication data in
$_SERVER['Authorization']
if((!$_SERVER['PHP_AUTH_USER'] || !$_SERVER['PHP_AUTH_USER'])
&& preg_match('/Basic\s+(.*)$/i', $_SERVER['Authorization'],
$matches)) {
list($name, $password) = explode(':', base64_decode($matches[1]));
$_SERVER['PHP_AUTH_USER'] = strip_tags($name);
$_SERVER['PHP_AUTH_PW'] = strip_tags($password);
}
?>
Works with both PHP 4.4 & 5.2. But it would be very for someone with
CVS write access to patch this for newer releases :)
The "Authorization" header gets passed from Apache to the fastcgi
server because that's exactly what the -pass-header option means :)
(allow to pass some headers to FastCGI that aren't supposed to).
------------------------------------------------------------------------
[2007-03-25 16:37:25] phpbugs at thequod dot de
Any progress on this one? It's still the case with PHP5-CVS.
------------------------------------------------------------------------
[2006-11-30 03:47:22] phpbugs at thequod dot de
Hmm.. I'm dumb.
1. The above contains the user and password
2. I've forgotten to replace the patched php binary
But still, I'm wondering why "Authorization" gets passed
from Apache to the fastcgi server (but that's no PHP
problem and actually good).
(Would someone be so kind and "starify" the above
user/password data?)
------------------------------------------------------------------------
[2006-11-30 03:29:56] phpbugs at thequod dot de
Even with patching PHP to use "Authorization", it does not
work.
I've added "-pass-header Authorization" to the
FastCgiServer (mod_fastcgi) configuration and get the
following:
_SERVER["Authorization"] => "Basic ZGFuaWVsOmxzZDQy"
But this gets ignored (as it seems) by
php_handle_auth_data(), because there's no user in there.
I'm wondering though, why "Authorization" gets passed by
Apache though, because SECURITY_HOLE_PASS_AUTHORIZATION
does not seem to be defined and therefor "Authorization"
should not be passed on to CGIs..?!
-----------------------------
"Authorization" patch for PHP:
--- sapi/cgi/cgi_main.c 15 Nov 2006 13:33:41 -0000
1.267.2.15.2.18
+++ sapi/cgi/cgi_main.c 30 Nov 2006 02:18:13 -0000
@@ -972,7 +972,7 @@
SG(request_info).content_length =
(content_length ? atoi(content_length) : 0);
/* The CGI RFC allows servers to pass on
unvalidated Authorization data */
- auth =
sapi_cgibin_getenv("HTTP_AUTHORIZATION",
sizeof("HTTP_AUTHORIZATION")-1 TSRMLS_CC);
+ auth = sapi_cgibin_getenv("Authorization",
sizeof("Authorization")-1 TSRMLS_CC);
php_handle_auth_data(auth TSRMLS_CC);
}
}
-----------------------------
------------------------------------------------------------------------
[2006-01-02 16:20:41] [EMAIL PROTECTED]
Also this behaviour is seen in PHP 5.1.1 run under FastCGI.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/35752
--
Edit this bug report at http://bugs.php.net/?id=35752&edit=1
