[PHP-DEV] PHP_AUTH_PW being passed when external auth is used (possible fix?)

Mon, 09 Apr 2001 06:40:14 -0700 


[[ apologies if this is not the place to raise this ]]

We have a problem with our apache/PHP4 web server in that it seems to be
making users passwords available as PHP_AUTH_PW - even though we are using
external authentication (mod_auth_samba). Hunting the php bug database
turns up two reports (ID# 7774 and ID# 8827) and (as far as I can see)
no fixes.

Having a dig around in the code we think the problem is line 397 of
mod_php4.c :

--------------------------------
   if (authorization
/*    && !auth_type(r) */     <----- **** line 397 ****
      && !strcmp(getword(r->pool, &authorization, ' '), "Basic")) {
      tmp = uudecode(r->pool, authorization);
      SG(request_info).auth_user = getword_nulls_nc(r->pool, &tmp, ':');
         if (SG(request_info).auth_user) {
         SG(request_info).auth_user = estrdup(SG(request_info).auth_user);
         }
         SG(request_info).auth_password = tmp;
         if (SG(request_info).auth_password) {
            SG(request_info).auth_password = estrdup(SG(request_info).auth_password);
         }
      } else {
         SG(request_info).auth_user = NULL;
         SG(request_info).auth_password = NULL;
      }
--------------------------------

Uncommenting the line "&& !auth_type(r)" seems to cure the problem in my
quick test but before I roll this into service can someone who knows php
and the apache API better than me comment please!

I am a little concerned that I am missing some horrible side effect of
uncommenting this - after all, someone commented it out as looking at an
old source tree (4.0b2 I think) I can see that the check was there. It
had been commented out by version 4.0.1pl1.

Have I missed something here or is this the fix (my C is a little rusty to
say the least! :-). Why was this commented out (I suspect a test release
that "escaped")

Any clues? This is fairly urgent as I presents somewhat of a security hole
on our web server!!

Thanks,

-- 
Darren Chapman
Senior Computing Officer
University of Kent, Canterbury, England



-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to