php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #32392 apache_request_headers() does not rturn Authorization header
Submitted: 2005-03-21 09:23 UTC Modified: 2005-03-22 10:11 UTC
From: lacak at users dot sourceforge dot net Assigned:
Status: Not a bug Package: Feature/Change Request
PHP Version: 4.3.10 OS: Win
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: lacak at users dot sourceforge dot net
New email:
PHP Version: OS:

 

 [2005-03-21 09:23 UTC] lacak at users dot sourceforge dot net 
Description:
------------
Help PHP Developers, please, please

if PHP is running as Apache module in safe_mode=on 
in result of function apache_request_headers() is not included Authorization header.

When I use "HTTP Digest Authorization" in my PHP script I cannot validate clients response, because I can not obtain supplied Authorization header.

Please change behavior of apache_request_headers(), so it hides Authorization header only if :
(safe_mode=on) && (AuthType is set to [Basic|Digest] in httpd.conf or .htaccess)
so only if Apache performs authentication

Please rply ...
Thank you

Reproduce code:
---------------
Sample code :
<?php

  $headers=apache_request_headers();
  if (isset($headers["Authorization"])  {
  print_r($headers);
  phpinfo();
  exit;
  }

 if (isset($_SERVER["PHP_AUTH_USER"])) {
  echo $_SERVER["PHP_AUTH_USER"].":".$_SERVER["PHP_AUTH_PW"];
  print_r(apache_request_headers());
  phpinfo();
  exit;
 }

 if (!empty($_SERVER["REMOTE_IDENT"])) {
  echo $_SERVER["REMOTE_IDENT"];
  print_r(apache_request_headers());
  phpinfo();
  exit;
 }

 if (!empty($_SERVER["Authorization"])) {
  echo $_SERVER["Authorization"];
  print_r(apache_request_headers());
  phpinfo();
  exit;
 }

  Header( "HTTP/1.0 401 Unauthorized");
  Header( "WWW-Authenticate: Digest realm=\"www.myrealm.com\",
opaque=\"opaque\", nonce=\"nonce\", stale=\"false\", qop=\"auth\"");
  print_r(getallheaders());
  exit;
?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-21 10:31 UTC] rasmus@php.net 
That would allow you to steal passwords from other scripts on the same shared server which is exactly what safemode is designed to counteract.  So no, this won't change.
 [2005-03-21 11:58 UTC] lacak at users dot sourceforge dot net 
Thank you rasmus, for reply :
1. So how can I use "HTTP Digest Authorization" in PHP script ? (is it inpossible ? really is no solution, todasy ? or in the future ?)
2. Why is it security problem ? When safe_mode=on, then uid is added to realm, so other scripts on same shared (ISP) server cannot simulate the same realm and so steal passwords ?
And at other : when I use "HTTP Basic Authorization", then $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] are set (so may be steal) when safe_mode=on, but header Authorization is not set.
 [2005-03-21 12:38 UTC] lacak at users dot sourceforge dot net 
Please reply ...
 [2005-03-21 16:14 UTC] rasmus@php.net 
1. In safemode, you can't.  
2. They can't simulate the realm in safemode, but they don't need to.  Adding the user id to the realm means you can't pretend to be them, but if the user has already visited and logged into that other site and then visit your site, without even sending an Authenticate header their browser will send you their Authorization header for the other site (assuming same domain like example.com/~bob vs. example.com/~joe) and if you could grab all the request headers you will now have stolen the user's username and password.
3. This is not a support forum
 [2005-03-22 10:11 UTC] lacak at users dot sourceforge dot net 
Thank you very much.
I know, that it is not a support forum, but I am looking for a solution, that could be useful 
also for other PHP users.
"HTTP Basic Authorization" sends password only base64 encoded, and may be
easily stolen.
but
"HTTP Digest Authorization" sends password 'md5 hashed', so for other script
it is much more harder to steal or gain it.

Wouldn?t it be possible to add in PHP support the Digest Authorization
for example in a form $_SERVER["PHP_AUTH_DIGEST"], where the header from HTTP
Response would be added if 'Authorization: Digest ...' is used (similar as the 'Authorization:
Basic ...' in $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] even when
safe_mode=On)
1.PHP must parse HTTP header.
2. When it finds Authorization: Basic then fill up $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"]
3. add next condition When it finds Authorization: Digest then fill $_SERVER["PHP_AUTH_DIGEST"]
(I think, that it takes only few lines of source code ?)

Or different way
if safe_mode=On then
 HTTP Authorization header is never included in apache_request_headers(),
 but $_SERVER["PHP_AUTH_*"] are set up so script may validate username and
password ...
so the same logic could be taken for function apache_request_headers(), already used
when constructing $_SERVER["PHP_AUTH_*"]

Thank you very much for your time and effort.
Please reply.
Laco
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Apr 28 07:01:30 2024 UTC