andrei Sat Dec 21 15:12:08 2002 EDT Modified files: /php4 NEWS /php4/sapi/apache mod_php4.c Log: MFB. Index: php4/NEWS diff -u php4/NEWS:1.1283 php4/NEWS:1.1284 --- php4/NEWS:1.1283 Sat Dec 21 13:06:04 2002 +++ php4/NEWS Sat Dec 21 15:12:07 2002 @@ -19,6 +19,8 @@ ? ? ??? 2002, Version 4.3.0 +- Make PHP_AUTH_* variables not available in safe mode under Apache when an + external basic auth mechanism is used. (Philip) - Aliased dba_popen() to dba_open() until 4.3.1 when persistent STDIO streams are introduced. (Andrei) - Fixed a security bug in the bundled MySQL library. (Georg, Stefan) Index: php4/sapi/apache/mod_php4.c diff -u php4/sapi/apache/mod_php4.c:1.148 php4/sapi/apache/mod_php4.c:1.149 --- php4/sapi/apache/mod_php4.c:1.148 Sat Nov 30 22:28:21 2002 +++ php4/sapi/apache/mod_php4.c Sat Dec 21 15:12:08 2002 @@ -17,7 +17,7 @@ | PHP 4.0 patches by Zeev Suraski <[EMAIL PROTECTED]> | +----------------------------------------------------------------------+ */ -/* $Id: mod_php4.c,v 1.148 2002/12/01 03:28:21 sas Exp $ */ +/* $Id: mod_php4.c,v 1.149 2002/12/21 20:12:08 andrei Exp $ */ #include "php_apache_http.h" @@ -448,7 +448,7 @@ authorization = table_get(r->headers_in, "Authorization"); } if (authorization - && !auth_type(r) + && (!PG(safe_mode) || (PG(safe_mode) && !auth_type(r))) && !strcasecmp(getword(r->pool, &authorization, ' '), "Basic")) { tmp = uudecode(r->pool, authorization); SG(request_info).auth_user = getword_nulls_nc(r->pool, &tmp, ':');
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php