From: gavin at vess dot com Operating system: Linux 2.4.18-27.7.x PHP version: 4.3.4RC3 PHP Bug Type: Documentation problem Bug description: REMOTE_USER not defined when using Basic Auth
Description: ------------ The appended output of "grep's" through PHP and Apache 2 source code clearly show "unconnected" code relating to the username supplied by a user when using basic authentication with HTTP. PHP source code uses the environment variable HTTP_AUTHORIZATION, yet no code sets this variable within either Apache 2.0.48 or PHP 4.3.4RC3. This prevents PHP_AUTH* from being set (the code to set these still exists in PHP). Perhaps this PHP code was written for other web servers that do supply HTTP_AUTHORIZATION environment variable. This wouldn't cause me any concern, except that REMOTE_USER is also unavailable when using the Apache 2/FastCGI configuration, since Apache 2 sees the script protected by an .htaccess, but not the FastCGI PHP binary. apache2.0.48/server/util_script.c: ap_add_common_vars() sets up the various environment variables to pass to the FastCGI, but REMOTE_USER is excluded since no authentication was required to access the PHP binary (only the script, but that was an earlier phase in processing the request). Sigh .. perhaps I will patch Apache to help maintain a consistent environment for my customers .. easier than trying to explain all this to them. In any case, the documentation at http://us3.php.net/features.http-auth is out-of-sync with Apache 2 / PHP 4.3.4RC3. Perhaps the information previously accessible via $_SERVER['REMOTE_USER'] and $_SERVER['PHP_AUTH_USER'] will eventually become available through another mechanism (maybe in PHP5)? I haven't had time to follow the design discussions in php-dev, so I haven't provided a patch to address the dangling code or inconsistencies with the docs, but merely documented (below) evidence of the inconsistencies (perhaps just the result of work-in-progress?). Cheers, Gavin Reproduce code: --------------- httpd-2.0.48$ grep -r HTTP_AUTHORIZATION . returns nothing php-4.3.4RC3$ grep -r HTTP_AUTHORIZATION . ./sapi/caudium/caudium.c: php_handle_auth_data(lookup_string_header("HTTP_AUTHORIZATION", NULL), TSRMLS_C); ./sapi/cgi/cgi_main.c: auth = sapi_cgibin_getenv("HTTP_AUTHORIZATION",0 TSRMLS_CC); php-4.3.4RC3$ grep -r php_handle_auth_data . ./main/main.c:/* {{{ php_handle_auth_data ./main/main.c:PHPAPI int php_handle_auth_data(const char *auth TSRMLS_DC) ./main/php_main.h:PHPAPI int php_handle_auth_data(const char *auth TSRMLS_DC); ./netware/phplib.imp:php_handle_auth_data, ./sapi/apache2filter/sapi_apache2.c: php_handle_auth_data(auth TSRMLS_CC); ./sapi/apache2handler/sapi_apache2.c: php_handle_auth_data(auth TSRMLS_CC); ./sapi/caudium/caudium.c: php_handle_auth_data(lookup_string_header("HTTP_AUTHORIZATION", NULL), TSRMLS_C); ./sapi/cgi/cgi_main.c: php_handle_auth_data(auth TSRMLS_CC); ./sapi/thttpd/thttpd.c: php_handle_auth_data(TG(hc)->authorization TSRMLS_CC); ./sapi/tux/php_tux.c: php_handle_auth_data(TG(hc)->authorization TSRMLS_CC); Expected result: ---------------- This PHP code below is never executed, since SG(request_info).auth_user has no value, because it is set from the HTTP_AUTHORIZATION environment variable, which is never set by either PHP or Apache code. This prevents PHP_AUTH_USER from having a value. php_register_variable("PHP_AUTH_USER", SG(request_info).auth_user, array_ptr TSRMLS_CC); "grep -r PHP_AUTH_USER" the source tree will quickly turn up the relevant code. -- Edit bug report at http://bugs.php.net/?id=26066&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=26066&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=26066&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=26066&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=26066&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=26066&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=26066&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=26066&r=support Expected behavior: http://bugs.php.net/fix.php?id=26066&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=26066&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=26066&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=26066&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=26066&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=26066&r=dst IIS Stability: http://bugs.php.net/fix.php?id=26066&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=26066&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=26066&r=float
