php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #32332 In safe mode, Authorization headers are not accesible
Submitted: 2005-03-16 13:09 UTC Modified: 2010-12-22 03:35 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: lacak at users dot sourceforge dot net Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 4.3.10 OS: ANY
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: lacak at users dot sourceforge dot net
New email:
PHP Version: OS:

 

 [2005-03-16 13:09 UTC] lacak at users dot sourceforge dot net 
Description:
------------
if PHP is running as Apache module in safe mode and I use "Digest Authorization", there is no possibility obtain supplied Authorization header.

When I use apache_request_headers() function, Authorization header is not included !

So I can not authenticate request.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-18 07:35 UTC] lacak at users dot sourceforge dot net 
if safe_mode=On there is no possibility to obtain HTTP Authorization header, so no validation can be make.

The solution : why not include Authorization header in $_SERVER["Authorization"] ... ?

Sample code :
<?php
//phpinfo();

 if (isset($_SERVER["PHP_AUTH_USER"])) {
  echo $_SERVER["PHP_AUTH_USER"].":".$_SERVER["PHP_AUTH_PW"];
  print_r(apache_request_headers());
  phpinfo();
  exit;
 }

 if (!empty($_SERVER["REMOTE_IDENT"])) {
  echo $_SERVER["REMOTE_IDENT"];
  print_r(apache_request_headers());
  phpinfo();
  exit;
 }

 if (!empty($_SERVER["Authorization"])) {
  echo $_SERVER["Authorization"];
  print_r(apache_request_headers());
  phpinfo();
  exit;
 }

  Header( "HTTP/1.0 401 Unauthorized");
  Header( "WWW-Authenticate: Digest realm=\"www.horiaciker.sk\", opaque=\"opaque\", nonce=\"nonce\", stale=\"false\", qop=\"auth\"");
  Header( "WWW-Authenticate: Basic realm=\"www.horiaciker.sk\"", false);
  echo "K pr?stupu je potrebn? zada? platn? login a heslo\n";
  print_r(getallheaders());
  exit;
?>
 [2005-03-18 07:38 UTC] lacak at users dot sourceforge dot net 
if PHP is running as Apache module in safe_mode=On and I use "HTTP Digest Authorization",
 there is no possibility obtain supplied Authorization
header.

When I use apache_request_headers() function, Authorization header is not included (if safe_mode=On)!

So I can not authenticate request.
 [2010-12-22 03:35 UTC] johannes@php.net
-Status: Open +Status: Bogus -Package: Feature/Change Request +Package: *General Issues
 [2010-12-22 03:35 UTC] johannes@php.net 
This is a explicit security feature to avoid stealing authentication data on shared environments.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Oct 17 09:01:27 2024 UTC