I'm still not overly convinced that this isn't a restriction that should only kick in when safe_mode or open_basedir is active. This change is going to break working code and it is not a security fix on non-shared servers.
-Rasmus On 18 Nov 2002 [EMAIL PROTECTED] wrote: > ID: 20461 > Updated by: [EMAIL PROTECTED] > Reported By: [EMAIL PROTECTED] > -Status: Open > +Status: Bogus > Bug Type: Apache related > Operating System: Linux 2.4.8 > PHP Version: 4CVS-2002-11-17 > New Comment: > > Then that is an external auth mechanism and means this > is not a bug in PHP: > > From: http://www.php.net/manual/en/features.http-auth.php > > "In order to prevent someone from writing a script which > reveals the password for a page that was authenticated > through a traditional external mechanism, the > PHP_AUTH variables will not be set if external > authentication is enabled for that particular page. In this > case, REMOTE_USER can be used to identify the > externally-authenticated user. So, $_SERVER['REMOTE_USER']. > > Configuration Note: PHP uses the presence of an AuthType > directive to determine whether external authentication is in > effect. Remember to avoid this directive for the context > where you want to use PHP authentication (otherwise each > authentication attempt will fail). > " > > There was a bug in previous PHP 4 versions which let the > external authenticated usernames and passwords to be revealed for > scripts. This is fixed in PHP 4.3.0. > > (btw. you really should upgrade your apache to 1.3.27! And forget > Apache2, it really is not ready for production use) > > > > > Previous Comments: > ------------------------------------------------------------------------ > > [2002-11-17 22:45:43] [EMAIL PROTECTED] > > forgot to answer your other question.. using apache 1.3.20 -- been > wanting to upgrade to 2.0 but have had a whole different set of > problems w/ that, so taking things one step at a time... > > ------------------------------------------------------------------------ > > [2002-11-17 22:43:25] [EMAIL PROTECTED] > > tried using $_SERVER already, no dice. > > i meant using the mod_auth module in apache to protect certain > directories.. when those directories are accessed, the browser pops up > a window for the user to enter in their username/password for that > resource... > > ------------------------------------------------------------------------ > > [2002-11-17 22:23:00] [EMAIL PROTECTED] > > I can not reproduce this, it works fine here. > Try accessing the variables through $_SERVER variable: > > $_SERVER['PHP_AUTH_USER'] > $_SERVER['PHP_AUTH_PW'] > > And what Apache version are you using? > What do you mean with "regular http authentication through apache" ?? > > > ------------------------------------------------------------------------ > > [2002-11-17 22:09:27] [EMAIL PROTECTED] > > not using any external auth... simply using regular http authentication > through apache... certain directories on the webserver are protected, > and so it pops up the box asking the user for username/password.. and > then rather then ask them AGAIN for a login for some of my web-based > apps, i simply pass the http auth info (via $PHP_AUTH_USER and > $PHP_AUTH_PW) along to these apps. the only problem is, those 2 > variables don't seem to exist anymore for me. nothing has changed in > my configuration except for the fact that i'm now using the cvs version > of php as opposed to 4.2.3 (if you read in my original bug report it > explains why). > > ------------------------------------------------------------------------ > > [2002-11-17 20:13:05] [EMAIL PROTECTED] > > Are you using some external auth mechanism? > > > ------------------------------------------------------------------------ > > The remainder of the comments for this report are too long. To view > the rest of the comments, please view the bug report online at > http://bugs.php.net/20461 > > -- > Edit this bug report at http://bugs.php.net/?id=20461&edit=1 > -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php