ID: 26066 User updated by: gavin at vess dot com Reported By: gavin at vess dot com -Status: Bogus +Status: Closed Bug Type: Documentation problem Operating System: Linux 2.4.18-27.7.x PHP Version: 4.3.4RC3 New Comment:
Ok .. found it, and patched ap_add_common_vars() in Apache2 to provide an HTTP_AUTHORIZATION header to FastCGI scripts (minus the base64 encoded password for security reasons). Apache source code refers to the authorization header using case-insenstive comparison with 'Authorization', and the 'HTTP_' prefix is prepended in http2env(). Further, this environment variable is, by default, deleted from the Apache's "environment" in ap_add_common_vars() for CGI's (including FastCGI). Reference: http://www.faqs.org/rfcs/rfc2617.html Previous Comments: ------------------------------------------------------------------------ [2003-11-01 05:36:52] [EMAIL PROTECTED] This only works fine with PHP being as DSO. If the Apache2 doesn't provide that env var, it's propably a) bug in apache or b) configuration issue ------------------------------------------------------------------------ [2003-10-31 23:12:28] gavin at vess dot com Description: ------------ The appended output of "grep's" through PHP and Apache 2 source code clearly show "unconnected" code relating to the username supplied by a user when using basic authentication with HTTP. PHP source code uses the environment variable HTTP_AUTHORIZATION, yet no code sets this variable within either Apache 2.0.48 or PHP 4.3.4RC3. This prevents PHP_AUTH* from being set (the code to set these still exists in PHP). Perhaps this PHP code was written for other web servers that do supply HTTP_AUTHORIZATION environment variable. This wouldn't cause me any concern, except that REMOTE_USER is also unavailable when using the Apache 2/FastCGI configuration, since Apache 2 sees the script protected by an .htaccess, but not the FastCGI PHP binary. apache2.0.48/server/util_script.c: ap_add_common_vars() sets up the various environment variables to pass to the FastCGI, but REMOTE_USER is excluded since no authentication was required to access the PHP binary (only the script, but that was an earlier phase in processing the request). Sigh .. perhaps I will patch Apache to help maintain a consistent environment for my customers .. easier than trying to explain all this to them. In any case, the documentation at http://us3.php.net/features.http-auth is out-of-sync with Apache 2 / PHP 4.3.4RC3. Perhaps the information previously accessible via $_SERVER['REMOTE_USER'] and $_SERVER['PHP_AUTH_USER'] will eventually become available through another mechanism (maybe in PHP5)? I haven't had time to follow the design discussions in php-dev, so I haven't provided a patch to address the dangling code or inconsistencies with the docs, but merely documented (below) evidence of the inconsistencies (perhaps just the result of work-in-progress?). Cheers, Gavin Reproduce code: --------------- httpd-2.0.48$ grep -r HTTP_AUTHORIZATION . returns nothing php-4.3.4RC3$ grep -r HTTP_AUTHORIZATION . ./sapi/caudium/caudium.c: php_handle_auth_data(lookup_string_header("HTTP_AUTHORIZATION", NULL), TSRMLS_C); ./sapi/cgi/cgi_main.c: auth = sapi_cgibin_getenv("HTTP_AUTHORIZATION",0 TSRMLS_CC); php-4.3.4RC3$ grep -r php_handle_auth_data . ./main/main.c:/* {{{ php_handle_auth_data ./main/main.c:PHPAPI int php_handle_auth_data(const char *auth TSRMLS_DC) ./main/php_main.h:PHPAPI int php_handle_auth_data(const char *auth TSRMLS_DC); ./netware/phplib.imp:php_handle_auth_data, ./sapi/apache2filter/sapi_apache2.c: php_handle_auth_data(auth TSRMLS_CC); ./sapi/apache2handler/sapi_apache2.c: php_handle_auth_data(auth TSRMLS_CC); ./sapi/caudium/caudium.c: php_handle_auth_data(lookup_string_header("HTTP_AUTHORIZATION", NULL), TSRMLS_C); ./sapi/cgi/cgi_main.c: php_handle_auth_data(auth TSRMLS_CC); ./sapi/thttpd/thttpd.c: php_handle_auth_data(TG(hc)->authorization TSRMLS_CC); ./sapi/tux/php_tux.c: php_handle_auth_data(TG(hc)->authorization TSRMLS_CC); Expected result: ---------------- This PHP code below is never executed, since SG(request_info).auth_user has no value, because it is set from the HTTP_AUTHORIZATION environment variable, which is never set by either PHP or Apache code. This prevents PHP_AUTH_USER from having a value. php_register_variable("PHP_AUTH_USER", SG(request_info).auth_user, array_ptr TSRMLS_CC); "grep -r PHP_AUTH_USER" the source tree will quickly turn up the relevant code. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=26066&edit=1
