PHP :: Bug #24021 :: string comparison started failing after changing to 4.3.2

Bug #24021

string comparison started failing after changing to 4.3.2

Submitted:

2003-06-04 12:03 UTC

Modified:

2003-06-04 16:06 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

razorstrike at hotmail dot com

Assigned:

Status:

Closed

Package:

Strings related

PHP Version:

4.3.2

OS:

WinNT 4.0

Private report:

CVE-ID:

None

View Developer Edit

[2003-06-04 12:03 UTC] razorstrike at hotmail dot com

I use basic authentication to grant users access to a page.  I have included the code below.  This code no longer works after upgrading to 4.3.2.  It has worked in ALL previous release I have used up to, and including, 4.3RC1.

In short, I read a flat file of user info.  The format is "username:password" (no quotes). One per line.  The code breaks out the pairs into an array and tests against $PHP_AUTH_USER and _PW until a match is made.  Otherwise it displays a warning.

I have narrowed it down to the string comparison, and have tried strcmp and strncmp (with modified logic) in place of "==" without success.  Also, I have output all of the variable values with various echo statements.  It appears all values are being set correctly.

Did something change with basic auth?  FYI, I have used the same PHP.INI file throughout, without modification.

<?
$auth = false; // Assume user is not authenticated

if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
	$PHP_AUTH_USER = $_SERVER['PHP_AUTH_USER'];
	$PHP_AUTH_PW = $_SERVER['PHP_AUTH_PW'];

	// Read the entire file into the variable $file_contents
	$filename = 'c:\\pass.txt';
	$fp = fopen( $filename, 'r' );
	$file_contents = fread($fp, filesize($filename));
	fclose( $fp );

	// Place the individual lines from the file contents into an array.
	$lines = explode("\n", $file_contents);

	// Split each of the lines into a username and a password pair
	// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW.

	foreach ($lines as $line) {
		list($username, $password) = explode(':', $line);

		if (($username == "$PHP_AUTH_USER") && ($password == "$PHP_AUTH_PW")) {
			// A match is found, meaning the user is authenticated. So, stop the search.
			$auth = true;
			break;
		}
	}
} 

if (!$auth) {
	$authhead = 'WWW-Authenticate: Basic realm="Login"';
	header( "$authhead" );
	header( 'HTTP/1.0 401 Unauthorized' );
	echo "<CENTER>\n<BR><BR>\n<B><DIV STYLE=\"font-family: helvetica, arial, verdana; font-size: 14pt;\">The username or password you entered was invalid.</B>\n<BR><BR>\n";
	echo "<INPUT TYPE=button VALUE=\"Try Again\" onClick=\"window.location='';\"></DIV>";
	exit;
}
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-06-04 12:21 UTC] moriyoshi@php.net

Which SAPI are you actually using? (IIS? Apache1/2? or CGI?)

hint: try var_dump() to verify the contents of variables.

[2003-06-04 15:04 UTC] razorstrike at hotmail dot com

I am using Apache 2.0.46 with the PHP4.3.2RC1 (php4apache.dll dated Sept 9, 2002) currently.

Okay, I have come up with a solution.  Now, I think it's either a bug fix that broke my code, or it is a bug itself.

Here's what I did:
if (($username == "$PHP_AUTH_USER") && ($password == "$PHP_AUTH_PW"))

IS NOW

if ((trim($username) == "$PHP_AUTH_USER") && (trim($password) == "$PHP_AUTH_PW"))

Note the TRIMs.  For some reason there is a space (or newline?) being appended to each line during the "explode" that wasn't there previously.  I have verified that the password file doesn't have any extraneous characters.  It was overkill to trim the username, too, but it can't hurt :)

BTW: Thanks for the var_dump suggestion! It helped me spot the space in the raw var.

[2003-06-04 15:08 UTC] edink@php.net

4.3.2 changed default opening mode on windows to binary due to the many problems text mode caused. It appears that you have the opposite problem. Could you try opening file in "rt" mode and see if that solves the problem for you?

[2003-06-04 15:58 UTC] razorstrike at hotmail dot com

Okay, opening in "rt" mode eliminated the space (EOL?) from showing up in the var_dump() output.  I removed the TRIMs I had added and the code now works as originally written.  For (my) sanity's sake I'm going to leave the TRIMs in, as I do not want any spaces around those values anyway, but at least I know what happened!  Thanks to everyone for the feedback.

[2003-06-04 16:06 UTC] edink@php.net

If your file is in DOS format (\r\n line endings) and its open in binary mode explode will only get rid of \n leaving \r in there. So opening the file in text mode solves the problem.

Closing the report.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 14:01:27 2025 UTC