php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #32392 apache_request_headers() does not rturn Authorization header
Submitted: 2005-03-21 09:23 UTC Modified: 2005-03-22 10:11 UTC
From: lacak at users dot sourceforge dot net Assigned:
Status: Not a bug Package: Feature/Change Request
PHP Version: 4.3.10 OS: Win
Private report: No CVE-ID: None
View Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
37 + 38 = ?
Subscribe to this entry?

 
 [2005-03-21 09:23 UTC] lacak at users dot sourceforge dot net 
Description:
------------
Help PHP Developers, please, please

if PHP is running as Apache module in safe_mode=on 
in result of function apache_request_headers() is not included Authorization header.

When I use "HTTP Digest Authorization" in my PHP script I cannot validate clients response, because I can not obtain supplied Authorization header.

Please change behavior of apache_request_headers(), so it hides Authorization header only if :
(safe_mode=on) && (AuthType is set to [Basic|Digest] in httpd.conf or .htaccess)
so only if Apache performs authentication

Please rply ...
Thank you

Reproduce code:
---------------
Sample code :
<?php

  $headers=apache_request_headers();
  if (isset($headers["Authorization"])  {
  print_r($headers);
  phpinfo();
  exit;
  }

 if (isset($_SERVER["PHP_AUTH_USER"])) {
  echo $_SERVER["PHP_AUTH_USER"].":".$_SERVER["PHP_AUTH_PW"];
  print_r(apache_request_headers());
  phpinfo();
  exit;
 }

 if (!empty($_SERVER["REMOTE_IDENT"])) {
  echo $_SERVER["REMOTE_IDENT"];
  print_r(apache_request_headers());
  phpinfo();
  exit;
 }

 if (!empty($_SERVER["Authorization"])) {
  echo $_SERVER["Authorization"];
  print_r(apache_request_headers());
  phpinfo();
  exit;
 }

  Header( "HTTP/1.0 401 Unauthorized");
  Header( "WWW-Authenticate: Digest realm=\"www.myrealm.com\",
opaque=\"opaque\", nonce=\"nonce\", stale=\"false\", qop=\"auth\"");
  print_r(getallheaders());
  exit;
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-21 10:31 UTC] rasmus@php.net 
That would allow you to steal passwords from other scripts on the same shared server which is exactly what safemode is designed to counteract.  So no, this won't change.
 [2005-03-21 11:58 UTC] lacak at users dot sourceforge dot net 
Thank you rasmus, for reply :
1. So how can I use "HTTP Digest Authorization" in PHP script ? (is it inpossible ? really is no solution, todasy ? or in the future ?)
2. Why is it security problem ? When safe_mode=on, then uid is added to realm, so other scripts on same shared (ISP) server cannot simulate the same realm and so steal passwords ?
And at other : when I use "HTTP Basic Authorization", then $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] are set (so may be steal) when safe_mode=on, but header Authorization is not set.
 [2005-03-21 12:38 UTC] lacak at users dot sourceforge dot net 
Please reply ...
 [2005-03-21 16:14 UTC] rasmus@php.net 
1. In safemode, you can't.  
2. They can't simulate the realm in safemode, but they don't need to.  Adding the user id to the realm means you can't pretend to be them, but if the user has already visited and logged into that other site and then visit your site, without even sending an Authenticate header their browser will send you their Authorization header for the other site (assuming same domain like example.com/~bob vs. example.com/~joe) and if you could grab all the request headers you will now have stolen the user's username and password.
3. This is not a support forum
 [2005-03-22 10:11 UTC] lacak at users dot sourceforge dot net 
Thank you very much.
I know, that it is not a support forum, but I am looking for a solution, that could be useful 
also for other PHP users.
"HTTP Basic Authorization" sends password only base64 encoded, and may be
easily stolen.
but
"HTTP Digest Authorization" sends password 'md5 hashed', so for other script
it is much more harder to steal or gain it.

Wouldn?t it be possible to add in PHP support the Digest Authorization
for example in a form $_SERVER["PHP_AUTH_DIGEST"], where the header from HTTP
Response would be added if 'Authorization: Digest ...' is used (similar as the 'Authorization:
Basic ...' in $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] even when
safe_mode=On)
1.PHP must parse HTTP header.
2. When it finds Authorization: Basic then fill up $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"]
3. add next condition When it finds Authorization: Digest then fill $_SERVER["PHP_AUTH_DIGEST"]
(I think, that it takes only few lines of source code ?)

Or different way
if safe_mode=On then
 HTTP Authorization header is never included in apache_request_headers(),
 but $_SERVER["PHP_AUTH_*"] are set up so script may validate username and
password ...
so the same logic could be taken for function apache_request_headers(), already used
when constructing $_SERVER["PHP_AUTH_*"]

Thank you very much for your time and effort.
Please reply.
Laco
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Oct 29 12:00:01 2025 UTC