Edit report at https://bugs.php.net/bug.php?id=60056&edit=1
ID: 60056
Comment by: david dot gero at ec dot gc dot ca
Reported by: david dot gero at ec dot gc dot ca
Summary: Basic authorization crashes Windows CLI web server
Status: Open
Type: Bug
Package: CGI/CLI related
Operating System: Windows XP
PHP Version: 5.4.0beta1
Block user comment: N
Private report: N
New Comment:
The first error happens at line 805 of main/SAPI.c
Previous Comments:
------------------------------------------------------------------------
[2011-10-13 16:45:34] david dot gero at ec dot gc dot ca
Sigh. Your bug system wouldn't let me upload the PHP file, saying it was
"text/x-php", which apparently isn't text. So here it is:
<?php
/*! \file basic-auth-test.php
* \brief Test that basic authorization works even if web server doesn't do it
*/
function doauthreq() {
header('WWW-Authenticate: Basic realm="Admin Area"');
header((isset($_SERVER["SERVER_PROTOCOL"]) ?
$_SERVER["SERVER_PROTOCOL"] : 'HTTP/1.0') . ' 401 Unauthorized');
?><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<?php if (isset($_SERVER['SERVER_SIGNATURE'])) echo '<hr>', PHP_EOL,
$_SERVER['SERVER_SIGNATURE'], PHP_EOL; ?>
</body></html>
<?php
exit();
}
if ((!isset($_SERVER["PHP_AUTH_USER"])) || !isset($_SERVER["PHP_AUTH_PW"])) {
if (isset($_SERVER["REMOTE_USER"]) && ini_get("safe_mode")) {
// web server did authentication, but safe_mode is hiding
PHP_AUTH_PW
$php_auth_user =
preg_replace('/[^[:alnum:]\\xC0-\\xD6\\xD8-\\xF6\\xF8-\\xFF @.\'_-]+/', '',
$_SERVER["REMOTE_USER"]);
$_SERVER["PHP_AUTH_USER"] = $php_auth_user;
$_SERVER["PHP_AUTH_PW"] = 'testing';
} else {
// web server not restricting access, request browser
authentication
doauthreq();
}
} else if (!isset($_SERVER["REMOTE_USER"])) {
// web server not restricting access, browser has responded with
authentication
if (strcmp($_SERVER['PHP_AUTH_PW'], 'testing') != 0) doauthreq();
}
?>
<html>
<head>
<title>Basic Authorization Test</title>
</head>
<body bgcolor="white">
<h1>Basic Authorization Test</h1>
<p>Success!<br />
You have been authorized as user: <?php echo $_SERVER["PHP_AUTH_USER"]; ?></p>
</body>
</html>
------------------------------------------------------------------------
[2011-10-13 16:37:50] david dot gero at ec dot gc dot ca
Description:
------------
The attached "Patch file" is actually a PHP program that shows the problem.
Command line was: php -S 127.0.0.1:8000 -t \html
In a browser, goto http://localhost:8000/basic-auth-test.php
1. First error is that the browser's authorization request displays "at 0"
instead of "at Admin Area", meaning the PHP CLI server is not sending the realm
correctly.
2. Second error is that the PHP CLI server crashes when the browser sends the
Authorization: Basic <base64 userid:password>
Test script:
---------------
Patch file below is test script
Expected result:
----------------
Expect the PHP CLI server not to crash, and to see the following at the browser:
Success!
You have been authorized as user: foo
Actual result:
--------------
Windows PHP CLI server crashes
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=60056&edit=1
