andrei Sat Dec 21 15:12:08 2002 EDT
Modified files:
/php4 NEWS
/php4/sapi/apache mod_php4.c
Log:
MFB.
Index: php4/NEWS
diff -u php4/NEWS:1.1283 php4/NEWS:1.1284
--- php4/NEWS:1.1283 Sat Dec 21 13:06:04 2002
+++ php4/NEWS Sat Dec 21 15:12:07 2002
@@ -19,6 +19,8 @@
? ? ??? 2002, Version 4.3.0
+- Make PHP_AUTH_* variables not available in safe mode under Apache when an
+ external basic auth mechanism is used. (Philip)
- Aliased dba_popen() to dba_open() until 4.3.1 when persistent STDIO streams
are introduced. (Andrei)
- Fixed a security bug in the bundled MySQL library. (Georg, Stefan)
Index: php4/sapi/apache/mod_php4.c
diff -u php4/sapi/apache/mod_php4.c:1.148 php4/sapi/apache/mod_php4.c:1.149
--- php4/sapi/apache/mod_php4.c:1.148 Sat Nov 30 22:28:21 2002
+++ php4/sapi/apache/mod_php4.c Sat Dec 21 15:12:08 2002
@@ -17,7 +17,7 @@
| PHP 4.0 patches by Zeev Suraski <[EMAIL PROTECTED]> |
+----------------------------------------------------------------------+
*/
-/* $Id: mod_php4.c,v 1.148 2002/12/01 03:28:21 sas Exp $ */
+/* $Id: mod_php4.c,v 1.149 2002/12/21 20:12:08 andrei Exp $ */
#include "php_apache_http.h"
@@ -448,7 +448,7 @@
authorization = table_get(r->headers_in, "Authorization");
}
if (authorization
- && !auth_type(r)
+ && (!PG(safe_mode) || (PG(safe_mode) && !auth_type(r)))
&& !strcasecmp(getword(r->pool, &authorization, ' '), "Basic")) {
tmp = uudecode(r->pool, authorization);
SG(request_info).auth_user = getword_nulls_nc(r->pool, &tmp, ':');
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
