PHP :: Bug #14370 :: PHP_AUTH_PW being improperly set

Bug #14370

PHP_AUTH_PW being improperly set

Submitted:

2001-12-06 19:34 UTC

Modified:

2002-06-13 18:14 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

henrich at msu dot edu

Assigned:

Status:

Closed

Package:

Apache related

PHP Version:

4.0.6

OS:

FreeBSD

Private report:

CVE-ID:

None

View Developer Edit

[2001-12-06 19:34 UTC] henrich at msu dot edu

PHP_AUTH_PW is being improperly set when external authentication is active
on Apache.

I have a directory structure that is protected via Apache authentication, according
to the PHP documentation the PHP_AUTH_PW should not be available when
external authentication is in use.  This is necessary for security concerns when you
cannot trust the php applications.  In any case, w/ php the AUTH_PW is being
set at all times.  Please fix, thanks!

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-03-11 07:36 UTC] php4 at Ncc-1701 dot b dot shuttle dot DE

The following patch solves this bug by not exporting the PHP_AUTH_* variables when safe_mode is set.

===8<====================================================
--- php-4.1.2/main/main.c.orig-securevars       Mon Dec 17 22:19:51 2001
+++ php-4.1.2/main/main.c       Mon Mar 11 07:34:40 2002
@@ -1031,10 +1031,10 @@
        }
 
        /* PHP Authentication support */
-       if (SG(request_info).auth_user) {
+       if (!PG(safe_mode) && SG(request_info).auth_user) {
                php_register_variable("PHP_AUTH_USER", SG(request_info).auth_user, array_ptr TSRMLS_CC);
        }
-       if (SG(request_info).auth_password) {
+       if (!PG(safe_mode) && SG(request_info).auth_password) {
                php_register_variable("PHP_AUTH_PW", SG(request_info).auth_password, array_ptr TSRMLS_CC);
        }
 }

[2002-03-11 07:37 UTC] php4 at Ncc-1701 dot b dot shuttle dot DE

The following patch solves this bug by not exporting the PHP_AUTH_* variables if safe_mode is set.

===8<====================================================
--- php-4.1.2/main/main.c.orig-securevars       Mon Dec 17 22:19:51 2001
+++ php-4.1.2/main/main.c       Mon Mar 11 07:34:40 2002
@@ -1031,10 +1031,10 @@
        }
 
        /* PHP Authentication support */
-       if (SG(request_info).auth_user) {
+       if (!PG(safe_mode) && SG(request_info).auth_user) {
                php_register_variable("PHP_AUTH_USER", SG(request_info).auth_user, array_ptr TSRMLS_CC);
        }
-       if (SG(request_info).auth_password) {
+       if (!PG(safe_mode) && SG(request_info).auth_password) {
                php_register_variable("PHP_AUTH_PW", SG(request_info).auth_password, array_ptr TSRMLS_CC);
        }
 }

[2002-06-13 18:14 UTC] sniper@php.net

This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at http://snaps.php.net/. In case this was a documentation 
problem, the fix will show up soon at http://www.php.net/manual/.
In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 05:00:01 2025 UTC