PHP :: Request #35752 :: PHP_AUTH_USER and PHP_AUTH_PW not available when using FastCGI

PHP_AUTH_USER and PHP_AUTH_PW not available when using FastCGI

Submitted:

2005-12-20 22:28 UTC

Modified:

2008-11-28 12:17 UTC

Votes:	10
Avg. Score:	4.6 ± 0.7
Reproduced:	8 of 8 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

fcu-phpbugs at no-way dot org

Assigned:

dmitry (profile)

Status:

Not a bug

Package:

Feature/Change Request

PHP Version:

4.4.2RC1

OS:

All

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	fcu-phpbugs at no-way dot org
New email:
PHP Version:		OS:

New/Additional Comment:

[2005-12-20 22:28 UTC] fcu-phpbugs at no-way dot org

Description:
------------
When using Apache's Basic Auth together with php in FastCGI Mode, the credentials of the User do not get passed to the PHP Script.

When I configure FastCGI to pass the Authentication Headers (-pass-header Authorization), these get passed to the script, but they are ignored by PHP.

This is because in cgi_main.c only the Env-Var "HTTP_AUTHORIZATION" gets checked and not "Authorization" which seems to be the correct Header value (at least with apache2).

All the apache Handler correctly use that header to set the Authentication Env-Vars.

Could the cgi handler also check for that header?

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-01-02 16:20 UTC] jacques@php.net

Also this behaviour is seen in PHP 5.1.1 run under FastCGI.

[2006-11-30 03:29 UTC] phpbugs at thequod dot de

Even with patching PHP to use "Authorization", it does not 
work.

I've added "-pass-header Authorization" to the 
FastCgiServer (mod_fastcgi) configuration and get the 
following:
_SERVER["Authorization"] => "Basic ZGFuaWVsOmxzZDQy"

But this gets ignored (as it seems) by 
php_handle_auth_data(), because there's no user in there.

I'm wondering though, why "Authorization" gets passed by 
Apache though, because SECURITY_HOLE_PASS_AUTHORIZATION 
does not seem to be defined and therefor "Authorization" 
should not be passed on to CGIs..?!

-----------------------------
"Authorization" patch for PHP:
--- sapi/cgi/cgi_main.c 15 Nov 2006 13:33:41 -0000      
1.267.2.15.2.18
+++ sapi/cgi/cgi_main.c 30 Nov 2006 02:18:13 -0000
@@ -972,7 +972,7 @@
                SG(request_info).content_length = 
(content_length ? atoi(content_length) : 0);

                /* The CGI RFC allows servers to pass on 
unvalidated Authorization data */
-               auth = 
sapi_cgibin_getenv("HTTP_AUTHORIZATION", 
sizeof("HTTP_AUTHORIZATION")-1 TSRMLS_CC);
+               auth = sapi_cgibin_getenv("Authorization", 
sizeof("Authorization")-1 TSRMLS_CC);
                php_handle_auth_data(auth TSRMLS_CC);
        }
 }
-----------------------------

[2006-11-30 03:47 UTC] phpbugs at thequod dot de

Hmm.. I'm dumb.
1. The above contains the user and password
2. I've forgotten to replace the patched php binary

But still, I'm wondering why "Authorization" gets passed 
from Apache to the fastcgi server (but that's no PHP 
problem and actually good).

(Would someone be so kind and "starify" the above 
user/password data?)

[2007-03-25 16:37 UTC] phpbugs at thequod dot de

Any progress on this one? It's still the case with PHP5-CVS.

[2008-08-23 15:04 UTC] airmax at trolleur dot net

Same behaviour with both PHP 4.4.9 & 5.2.0 using Apache 2.2.9.

Of course I could patch cgi_main.c but I have an other work-around. I created which is called using the auto_prepend_file feature in php.ini.

<?php
// maybe we have caught authentication data in $_SERVER['Authorization']
if((!$_SERVER['PHP_AUTH_USER'] || !$_SERVER['PHP_AUTH_USER'])
    && preg_match('/Basic\s+(.*)$/i', $_SERVER['Authorization'], $matches)) {

    list($name, $password) = explode(':', base64_decode($matches[1]));
    $_SERVER['PHP_AUTH_USER'] = strip_tags($name);
    $_SERVER['PHP_AUTH_PW']    = strip_tags($password);
}
?>

Works with both PHP 4.4 & 5.2. But it would be very for someone with CVS write access to patch this for newer releases :)

The "Authorization" header gets passed from Apache to the fastcgi server because that's exactly what the -pass-header option means :) (allow to pass some headers to FastCGI that aren't supposed to).

[2008-11-28 12:17 UTC] dmitry@php.net

PHP won't support non-standard headers passed by Apache.

mod_fastcgi (or other FastCGI manager) must care about sending proper HTTP_AUTHORIZATION header according to CGI RFC.

It is possible to configure Apache to do it using mod_rewrite.

RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 09:00:01 2025 UTC