php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #20088 Custom authentication mechanism
Submitted: 2002-10-25 10:36 UTC Modified: 2002-10-28 05:33 UTC
From: paul at myitcv dot org dot uk Assigned:
Status: Closed Package: HTTP related
PHP Version: 4.2.3 OS: SuSE Linux 7.2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
14 - 8 = ?
Subscribe to this entry?

 
 [2002-10-25 10:36 UTC] paul at myitcv dot org dot uk 
The following code:

<?php

// File Name: auth01.php
// Check to see if $PHP_AUTH_USER already contains info

if (!isset($PHP_AUTH_USER)) {

// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('HTTP/1.0 401 Unauthorized');
phpinfo();
exit;
}

// If not empty, display values for variables

else {

echo "
<P>You have entered this username: $PHP_AUTH_USER<br>
You have entered this password: $PHP_AUTH_PW<br>
The authorization type is: $PHP_AUTH_TYPE</p>
";

}

?>

....fails. I believe the reason for this is that I have made the following change to the PHP source:

--- php/sapi/apache/mod_php4.c.paj00    Tue Sep 10 13:59:06 2002
+++ php/sapi/apache/mod_php4.c  Tue Sep 10 13:59:17 2002
@@ -434,7 +434,7 @@
                authorization = table_get(r->headers_in, "Authorization");
        }
        if (authorization
-/*             && !auth_type(r) */
+               && !auth_type(r) 
                && !strcasecmp(getword(r->pool, &authorization, ' '), "Basic")) {
                tmp = uudecode(r->pool, authorization);
                SG(request_info).auth_user = getword_nulls_nc(r->pool, &tmp, ':');

I have made this change because of Bug #18391. However, custom authentication methods, an example of which is entered above, now fail. I would imagine that the two are linked. 

As we use mod_auth_kerb I will not remove this patch because otherwise we leave ourselves quite open to attack from the inside. Any suggestions on how to get custom authentication working alongside the increased kerberos security?

Thanks,


Paul

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-10-25 12:44 UTC] sniper@php.net 
Works fine here. Do you have 'register_globals=On' ??
 [2002-10-27 10:49 UTC] paul at myitcv dot org dot uk 
Yes, register_globals is on. Did your test system have similar modules (eg mod_auth_kerb etc) installed?
 [2002-10-27 21:25 UTC] sterling@php.net 
Err, you have created a bug by modifying the PHP source, trying to fix another bug?  Why did you report this bug - anyhow, its marked bogus :)
 [2002-10-28 04:04 UTC] paul at myitcv dot org dot uk 
The patch I applied to the source was on the recommendation of php.net developers who said that the exact same patch would soon make it into the main tree. Therefore I assumed they recognised the original behaviour with revelation of kerberos passwords as a genuine bug.

Hence, with the patch applied I am now reporting that the custom authentication method fails. 

Sorry for being thick, but have I missed something?
 [2002-10-28 04:51 UTC] sniper@php.net 
Nevermind Sterling, he just wasn't aware of the patch..which btw. is in 4.3.0-dev already.

Anyway, I'm still unable to reproduce this. I don't have time to install mod_auth_kerb right now. 
But the problem might be configuration related..are you
sure you're not using the mod_auth_kerb within the same vhost/directory (not sure how it can be configured) as
you're trying to run that php code in?

--Jani
 [2002-10-28 05:33 UTC] paul at myitcv dot org dot uk 
Jani,

Many thanks. Following on from your suggestion, I checked out the path from .htaccess to httpd.conf. Sure enough, as a globally set parameter in httpd.conf in a <Directory /> style config directive we have the following:

AuthType KerberosV5

which I would imagine is causing the problem.

Many thanks for your time,


Paul
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 03:01:28 2024 UTC