Edit report at http://bugs.php.net/bug.php?id=32332&edit=1
ID: 32332 Updated by: [email protected] Reported by: lacak at users dot sourceforge dot net Summary: In safe mode, Authorization headers are not accesible -Status: Open +Status: Bogus Type: Feature/Change Request -Package: Feature/Change Request +Package: *General Issues Operating System: ANY PHP Version: 4.3.10 Block user comment: N Private report: N New Comment: This is a explicit security feature to avoid stealing authentication data on shared environments. Previous Comments: ------------------------------------------------------------------------ [2005-03-18 07:38:23] lacak at users dot sourceforge dot net if PHP is running as Apache module in safe_mode=On and I use "HTTP Digest Authorization", there is no possibility obtain supplied Authorization header. When I use apache_request_headers() function, Authorization header is not included (if safe_mode=On)! So I can not authenticate request. ------------------------------------------------------------------------ [2005-03-18 07:35:37] lacak at users dot sourceforge dot net if safe_mode=On there is no possibility to obtain HTTP Authorization header, so no validation can be make. The solution : why not include Authorization header in $_SERVER["Authorization"] ... ? Sample code : <?php //phpinfo(); if (isset($_SERVER["PHP_AUTH_USER"])) { echo $_SERVER["PHP_AUTH_USER"].":".$_SERVER["PHP_AUTH_PW"]; print_r(apache_request_headers()); phpinfo(); exit; } if (!empty($_SERVER["REMOTE_IDENT"])) { echo $_SERVER["REMOTE_IDENT"]; print_r(apache_request_headers()); phpinfo(); exit; } if (!empty($_SERVER["Authorization"])) { echo $_SERVER["Authorization"]; print_r(apache_request_headers()); phpinfo(); exit; } Header( "HTTP/1.0 401 Unauthorized"); Header( "WWW-Authenticate: Digest realm=\"www.horiaciker.sk\", opaque=\"opaque\", nonce=\"nonce\", stale=\"false\", qop=\"auth\""); Header( "WWW-Authenticate: Basic realm=\"www.horiaciker.sk\"", false); echo "K prístupu je potrebné zada platný login a heslo\n"; print_r(getallheaders()); exit; ?> ------------------------------------------------------------------------ [2005-03-16 13:09:38] lacak at users dot sourceforge dot net Description: ------------ if PHP is running as Apache module in safe mode and I use "Digest Authorization", there is no possibility obtain supplied Authorization header. When I use apache_request_headers() function, Authorization header is not included ! So I can not authenticate request. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=32332&edit=1
