php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #20088 Custom authentication mechanism
Submitted: 2002-10-25 10:36 UTC Modified: 2002-10-28 05:33 UTC
From: paul at myitcv dot org dot uk Assigned:
Status: Closed Package: HTTP related
PHP Version: 4.2.3 OS: SuSE Linux 7.2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: paul at myitcv dot org dot uk
New email:
PHP Version: OS:

 

 [2002-10-25 10:36 UTC] paul at myitcv dot org dot uk
The following code:

<?php

// File Name: auth01.php
// Check to see if $PHP_AUTH_USER already contains info

if (!isset($PHP_AUTH_USER)) {

// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('HTTP/1.0 401 Unauthorized');
phpinfo();
exit;
}

// If not empty, display values for variables

else {

echo "
<P>You have entered this username: $PHP_AUTH_USER<br>
You have entered this password: $PHP_AUTH_PW<br>
The authorization type is: $PHP_AUTH_TYPE</p>
";

}

?>

....fails. I believe the reason for this is that I have made the following change to the PHP source:

--- php/sapi/apache/mod_php4.c.paj00    Tue Sep 10 13:59:06 2002
+++ php/sapi/apache/mod_php4.c  Tue Sep 10 13:59:17 2002
@@ -434,7 +434,7 @@
                authorization = table_get(r->headers_in, "Authorization");
        }
        if (authorization
-/*             && !auth_type(r) */
+               && !auth_type(r) 
                && !strcasecmp(getword(r->pool, &authorization, ' '), "Basic")) {
                tmp = uudecode(r->pool, authorization);
                SG(request_info).auth_user = getword_nulls_nc(r->pool, &tmp, ':');

I have made this change because of Bug #18391. However, custom authentication methods, an example of which is entered above, now fail. I would imagine that the two are linked. 

As we use mod_auth_kerb I will not remove this patch because otherwise we leave ourselves quite open to attack from the inside. Any suggestions on how to get custom authentication working alongside the increased kerberos security?

Thanks,


Paul

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-10-25 12:44 UTC] sniper@php.net
Works fine here. Do you have 'register_globals=On' ??

 [2002-10-27 10:49 UTC] paul at myitcv dot org dot uk
Yes, register_globals is on. Did your test system have similar modules (eg mod_auth_kerb etc) installed?
 [2002-10-27 21:25 UTC] sterling@php.net
Err, you have created a bug by modifying the PHP source, trying to fix another bug?  Why did you report this bug - anyhow, its marked bogus :)
 [2002-10-28 04:04 UTC] paul at myitcv dot org dot uk
The patch I applied to the source was on the recommendation of php.net developers who said that the exact same patch would soon make it into the main tree. Therefore I assumed they recognised the original behaviour with revelation of kerberos passwords as a genuine bug.

Hence, with the patch applied I am now reporting that the custom authentication method fails. 

Sorry for being thick, but have I missed something?
 [2002-10-28 04:51 UTC] sniper@php.net
Nevermind Sterling, he just wasn't aware of the patch..which btw. is in 4.3.0-dev already.

Anyway, I'm still unable to reproduce this. I don't have time to install mod_auth_kerb right now. 
But the problem might be configuration related..are you
sure you're not using the mod_auth_kerb within the same vhost/directory (not sure how it can be configured) as
you're trying to run that php code in?

--Jani

 [2002-10-28 05:33 UTC] paul at myitcv dot org dot uk
Jani,

Many thanks. Following on from your suggestion, I checked out the path from .htaccess to httpd.conf. Sure enough, as a globally set parameter in httpd.conf in a <Directory /> style config directive we have the following:

AuthType KerberosV5

which I would imagine is causing the problem.

Many thanks for your time,


Paul
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Nov 17 14:01:40 2019 UTC