Re: [PHP-DEV] Re: #20461 [Opn-Bgs]: Unable to access $PHP_AUTH_USERor $PHP_AUTH_PW
On Sun, 17 Nov 2002, Rasmus Lerdorf wrote: But why do you assume that the documentation was right and the code was wrong and not the other way around? Because it was working like documented before. (When the documentation was written). Anyway, not sure what to do with this one... I don't have the energy to do a cvs check, but I remember adding this restriction years ago (php2 days) and then removing it (by commenting out the check) ages ago as well. I'm not sure PHP4 ever had this check turned on (the commented out check was ported to php4), so the documentation has not reflected reality in a very long time. I agree that this change is going to break a lot of code. Some of it is my own :) I suggest that we always populate $PHP_AUTH_USER since that one has no security consequences and the information is awailable elsewhere ($_SERVER['REMOTE_USER']). $PHP_AUTH_PW should be set when there are no safe_mode/open_basedir restrctions in effects. Would this solution be satisfactory to everyone? Edin -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: #20461 [Opn-Bgs]: Unable to access $PHP_AUTH_USERor $PHP_AUTH_PW
On Mon, 18 Nov 2002, Edin Kadribasic wrote: On Sun, 17 Nov 2002, Rasmus Lerdorf wrote: I don't have the energy to do a cvs check, but I remember adding this restriction years ago (php2 days) and then removing it (by commenting out the check) ages ago as well. I'm not sure PHP4 ever had this check turned on (the commented out check was ported to php4), so the documentation has not reflected reality in a very long time. I agree that this change is going to break a lot of code. Some of it is my own :) I suggest that we always populate $PHP_AUTH_USER since that one has no security consequences and the information is awailable elsewhere ($_SERVER['REMOTE_USER']). $PHP_AUTH_PW should be set when there are no safe_mode/open_basedir restrctions in effects. Would this solution be satisfactory to everyone? Perfectly fine with me. Derick -- --- Derick Rethans http://derickrethans.nl/ JDI Media Solutions --[ if you hold a unix shell to your ear, do you hear the c? ]- -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: #20461 [Opn-Bgs]: Unable to access $PHP_AUTH_USERor $PHP_AUTH_PW
On Mon, 18 Nov 2002, Edin Kadribasic wrote: On Sun, 17 Nov 2002, Rasmus Lerdorf wrote: But why do you assume that the documentation was right and the code was wrong and not the other way around? Because it was working like documented before. (When the documentation was written). Anyway, not sure what to do with this one... I don't have the energy to do a cvs check, but I remember adding this restriction years ago (php2 days) and then removing it (by commenting out the check) ages ago as well. I'm not sure PHP4 ever had this check turned on (the commented out check was ported to php4), so the documentation has not reflected reality in a very long time. I agree that this change is going to break a lot of code. Some of it is my own :) I suggest that we always populate $PHP_AUTH_USER since that one has no security consequences and the information is awailable elsewhere ($_SERVER['REMOTE_USER']). $PHP_AUTH_PW should be set when there are no safe_mode/open_basedir restrctions in effects. Would this solution be satisfactory to everyone? No, it would break my scripts. :-p Use the $_SERVER['REMOTE_USER'] as it's been documented for ages in the http auth docs.. --Jani -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: #20461 [Opn-Bgs]: Unable to access $PHP_AUTH_USERor $PHP_AUTH_PW
On Sun, 17 Nov 2002, Rasmus Lerdorf wrote: I'm still not overly convinced that this isn't a restriction that should only kick in when safe_mode or open_basedir is active. This change is going to break working code and it is not a security fix on non-shared servers. True, but it was clearly documented that it shouldn't work. Do we really have to make a feature out of every bug? I'd say no... Derick ID: 20461 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Bogus Bug Type: Apache related Operating System: Linux 2.4.8 PHP Version: 4CVS-2002-11-17 New Comment: Then that is an external auth mechanism and means this is not a bug in PHP: From: http://www.php.net/manual/en/features.http-auth.php In order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page. In this case, REMOTE_USER can be used to identify the externally-authenticated user. So, $_SERVER['REMOTE_USER']. Configuration Note: PHP uses the presence of an AuthType directive to determine whether external authentication is in effect. Remember to avoid this directive for the context where you want to use PHP authentication (otherwise each authentication attempt will fail). There was a bug in previous PHP 4 versions which let the external authenticated usernames and passwords to be revealed for scripts. This is fixed in PHP 4.3.0. (btw. you really should upgrade your apache to 1.3.27! And forget Apache2, it really is not ready for production use) Previous Comments: [2002-11-17 22:45:43] [EMAIL PROTECTED] forgot to answer your other question.. using apache 1.3.20 -- been wanting to upgrade to 2.0 but have had a whole different set of problems w/ that, so taking things one step at a time... [2002-11-17 22:43:25] [EMAIL PROTECTED] tried using $_SERVER already, no dice. i meant using the mod_auth module in apache to protect certain directories.. when those directories are accessed, the browser pops up a window for the user to enter in their username/password for that resource... [2002-11-17 22:23:00] [EMAIL PROTECTED] I can not reproduce this, it works fine here. Try accessing the variables through $_SERVER variable: $_SERVER['PHP_AUTH_USER'] $_SERVER['PHP_AUTH_PW'] And what Apache version are you using? What do you mean with regular http authentication through apache ?? [2002-11-17 22:09:27] [EMAIL PROTECTED] not using any external auth... simply using regular http authentication through apache... certain directories on the webserver are protected, and so it pops up the box asking the user for username/password.. and then rather then ask them AGAIN for a login for some of my web-based apps, i simply pass the http auth info (via $PHP_AUTH_USER and $PHP_AUTH_PW) along to these apps. the only problem is, those 2 variables don't seem to exist anymore for me. nothing has changed in my configuration except for the fact that i'm now using the cvs version of php as opposed to 4.2.3 (if you read in my original bug report it explains why). [2002-11-17 20:13:05] [EMAIL PROTECTED] Are you using some external auth mechanism? The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/20461 -- Edit this bug report at http://bugs.php.net/?id=20461edit=1 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- --- Derick Rethans http://derickrethans.nl/ JDI Media Solutions --[ if you hold a unix shell to your ear, do you hear the c? ]- -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: #20461 [Opn-Bgs]: Unable to access $PHP_AUTH_USERor $PHP_AUTH_PW
On Mon, 18 Nov 2002, Derick Rethans wrote: On Sun, 17 Nov 2002, Rasmus Lerdorf wrote: I'm still not overly convinced that this isn't a restriction that should only kick in when safe_mode or open_basedir is active. This change is going to break working code and it is not a security fix on non-shared servers. True, but it was clearly documented that it shouldn't work. Do we really have to make a feature out of every bug? I'd say no... But why do you assume that the documentation was right and the code was wrong and not the other way around? -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: #20461 [Opn-Bgs]: Unable to access $PHP_AUTH_USERor $PHP_AUTH_PW
On Sun, 17 Nov 2002, Rasmus Lerdorf wrote: On Mon, 18 Nov 2002, Derick Rethans wrote: On Sun, 17 Nov 2002, Rasmus Lerdorf wrote: I'm still not overly convinced that this isn't a restriction that should only kick in when safe_mode or open_basedir is active. This change is going to break working code and it is not a security fix on non-shared servers. True, but it was clearly documented that it shouldn't work. Do we really have to make a feature out of every bug? I'd say no... But why do you assume that the documentation was right and the code was wrong and not the other way around? Because it was working like documented before. (When the documentation was written). Anyway, not sure what to do with this one... Derick -- --- Derick Rethans http://derickrethans.nl/ JDI Media Solutions --[ if you hold a unix shell to your ear, do you hear the c? ]- -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: #20461 [Opn-Bgs]: Unable to access $PHP_AUTH_USERor $PHP_AUTH_PW
But why do you assume that the documentation was right and the code was wrong and not the other way around? Because it was working like documented before. (When the documentation was written). Anyway, not sure what to do with this one... I don't have the energy to do a cvs check, but I remember adding this restriction years ago (php2 days) and then removing it (by commenting out the check) ages ago as well. I'm not sure PHP4 ever had this check turned on (the commented out check was ported to php4), so the documentation has not reflected reality in a very long time. -Rasmus -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php