php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #35752 PHP_AUTH_USER and PHP_AUTH_PW not available when using FastCGI
Submitted: 2005-12-20 22:28 UTC Modified: 2008-11-28 12:17 UTC
Votes:10
Avg. Score:4.6 ± 0.7
Reproduced:8 of 8 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: fcu-phpbugs at no-way dot org Assigned: dmitry
Status: Not a bug Package: Feature/Change Request
PHP Version: 4.4.2RC1 OS: All
Private report: No CVE-ID:
 [2005-12-20 22:28 UTC] fcu-phpbugs at no-way dot org
Description:
------------
When using Apache's Basic Auth together with php in FastCGI Mode, the credentials of the User do not get passed to the PHP Script.

When I configure FastCGI to pass the Authentication Headers (-pass-header Authorization), these get passed to the script, but they are ignored by PHP.

This is because in cgi_main.c only the Env-Var "HTTP_AUTHORIZATION" gets checked and not "Authorization" which seems to be the correct Header value (at least with apache2).

All the apache Handler correctly use that header to set the Authentication Env-Vars.

Could the cgi handler also check for that header?


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-01-02 16:20 UTC] jacques@php.net
Also this behaviour is seen in PHP 5.1.1 run under FastCGI.
 [2006-11-30 03:29 UTC] phpbugs at thequod dot de
Even with patching PHP to use "Authorization", it does not 
work.

I've added "-pass-header Authorization" to the 
FastCgiServer (mod_fastcgi) configuration and get the 
following:
_SERVER["Authorization"] => "Basic ZGFuaWVsOmxzZDQy"

But this gets ignored (as it seems) by 
php_handle_auth_data(), because there's no user in there.

I'm wondering though, why "Authorization" gets passed by 
Apache though, because SECURITY_HOLE_PASS_AUTHORIZATION 
does not seem to be defined and therefor "Authorization" 
should not be passed on to CGIs..?!

-----------------------------
"Authorization" patch for PHP:
--- sapi/cgi/cgi_main.c 15 Nov 2006 13:33:41 -0000      
1.267.2.15.2.18
+++ sapi/cgi/cgi_main.c 30 Nov 2006 02:18:13 -0000
@@ -972,7 +972,7 @@
                SG(request_info).content_length = 
(content_length ? atoi(content_length) : 0);

                /* The CGI RFC allows servers to pass on 
unvalidated Authorization data */
-               auth = 
sapi_cgibin_getenv("HTTP_AUTHORIZATION", 
sizeof("HTTP_AUTHORIZATION")-1 TSRMLS_CC);
+               auth = sapi_cgibin_getenv("Authorization", 
sizeof("Authorization")-1 TSRMLS_CC);
                php_handle_auth_data(auth TSRMLS_CC);
        }
 }
-----------------------------
 [2006-11-30 03:47 UTC] phpbugs at thequod dot de
Hmm.. I'm dumb.
1. The above contains the user and password
2. I've forgotten to replace the patched php binary

But still, I'm wondering why "Authorization" gets passed 
from Apache to the fastcgi server (but that's no PHP 
problem and actually good).

(Would someone be so kind and "starify" the above 
user/password data?)
 [2007-03-25 16:37 UTC] phpbugs at thequod dot de
Any progress on this one? It's still the case with PHP5-CVS.
 [2008-08-23 15:04 UTC] airmax at trolleur dot net
Same behaviour with both PHP 4.4.9 & 5.2.0 using Apache 2.2.9.

Of course I could patch cgi_main.c but I have an other work-around. I created which is called using the auto_prepend_file feature in php.ini.

<?php
// maybe we have caught authentication data in $_SERVER['Authorization']
if((!$_SERVER['PHP_AUTH_USER'] || !$_SERVER['PHP_AUTH_USER'])
    && preg_match('/Basic\s+(.*)$/i', $_SERVER['Authorization'], $matches)) {

    list($name, $password) = explode(':', base64_decode($matches[1]));
    $_SERVER['PHP_AUTH_USER'] = strip_tags($name);
    $_SERVER['PHP_AUTH_PW']    = strip_tags($password);
}
?>

Works with both PHP 4.4 & 5.2. But it would be very for someone with CVS write access to patch this for newer releases :)

The "Authorization" header gets passed from Apache to the fastcgi server because that's exactly what the -pass-header option means :) (allow to pass some headers to FastCGI that aren't supposed to).
 [2008-11-28 12:17 UTC] dmitry@php.net
PHP won't support non-standard headers passed by Apache.

mod_fastcgi (or other FastCGI manager) must care about sending proper HTTP_AUTHORIZATION header according to CGI RFC.

It is possible to configure Apache to do it using mod_rewrite.

RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Mon May 29 04:01:35 2017 UTC