php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #14370 PHP_AUTH_PW being improperly set
Submitted: 2001-12-06 19:34 UTC Modified: 2002-06-13 18:14 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: henrich at msu dot edu Assigned:
Status: Closed Package: Apache related
PHP Version: 4.0.6 OS: FreeBSD
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: henrich at msu dot edu
New email:
PHP Version: OS:

 

 [2001-12-06 19:34 UTC] henrich at msu dot edu
PHP_AUTH_PW is being improperly set when external authentication is active
on Apache.

I have a directory structure that is protected via Apache authentication, according
to the PHP documentation the PHP_AUTH_PW should not be available when
external authentication is in use.  This is necessary for security concerns when you
cannot trust the php applications.  In any case, w/ php the AUTH_PW is being
set at all times.  Please fix, thanks!

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-11 07:36 UTC] php4 at Ncc-1701 dot b dot shuttle dot DE
The following patch solves this bug by not exporting the PHP_AUTH_* variables when safe_mode is set.

===8<====================================================
--- php-4.1.2/main/main.c.orig-securevars       Mon Dec 17 22:19:51 2001
+++ php-4.1.2/main/main.c       Mon Mar 11 07:34:40 2002
@@ -1031,10 +1031,10 @@
        }
 
        /* PHP Authentication support */
-       if (SG(request_info).auth_user) {
+       if (!PG(safe_mode) && SG(request_info).auth_user) {
                php_register_variable("PHP_AUTH_USER", SG(request_info).auth_user, array_ptr TSRMLS_CC);
        }
-       if (SG(request_info).auth_password) {
+       if (!PG(safe_mode) && SG(request_info).auth_password) {
                php_register_variable("PHP_AUTH_PW", SG(request_info).auth_password, array_ptr TSRMLS_CC);
        }
 }
 [2002-03-11 07:37 UTC] php4 at Ncc-1701 dot b dot shuttle dot DE
The following patch solves this bug by not exporting the PHP_AUTH_* variables if safe_mode is set.

===8<====================================================
--- php-4.1.2/main/main.c.orig-securevars       Mon Dec 17 22:19:51 2001
+++ php-4.1.2/main/main.c       Mon Mar 11 07:34:40 2002
@@ -1031,10 +1031,10 @@
        }
 
        /* PHP Authentication support */
-       if (SG(request_info).auth_user) {
+       if (!PG(safe_mode) && SG(request_info).auth_user) {
                php_register_variable("PHP_AUTH_USER", SG(request_info).auth_user, array_ptr TSRMLS_CC);
        }
-       if (SG(request_info).auth_password) {
+       if (!PG(safe_mode) && SG(request_info).auth_password) {
                php_register_variable("PHP_AUTH_PW", SG(request_info).auth_password, array_ptr TSRMLS_CC);
        }
 }
 [2002-06-13 18:14 UTC] sniper@php.net
This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at http://snaps.php.net/. In case this was a documentation 
problem, the fix will show up soon at http://www.php.net/manual/.
In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 06 18:01:28 2024 UTC