|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2005-12-20 22:28 UTC] fcu-phpbugs at no-way dot org
Description: ------------ When using Apache's Basic Auth together with php in FastCGI Mode, the credentials of the User do not get passed to the PHP Script. When I configure FastCGI to pass the Authentication Headers (-pass-header Authorization), these get passed to the script, but they are ignored by PHP. This is because in cgi_main.c only the Env-Var "HTTP_AUTHORIZATION" gets checked and not "Authorization" which seems to be the correct Header value (at least with apache2). All the apache Handler correctly use that header to set the Authentication Env-Vars. Could the cgi handler also check for that header? PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Mar 29 15:01:29 2025 UTC |
Even with patching PHP to use "Authorization", it does not work. I've added "-pass-header Authorization" to the FastCgiServer (mod_fastcgi) configuration and get the following: _SERVER["Authorization"] => "Basic ZGFuaWVsOmxzZDQy" But this gets ignored (as it seems) by php_handle_auth_data(), because there's no user in there. I'm wondering though, why "Authorization" gets passed by Apache though, because SECURITY_HOLE_PASS_AUTHORIZATION does not seem to be defined and therefor "Authorization" should not be passed on to CGIs..?! ----------------------------- "Authorization" patch for PHP: --- sapi/cgi/cgi_main.c 15 Nov 2006 13:33:41 -0000 1.267.2.15.2.18 +++ sapi/cgi/cgi_main.c 30 Nov 2006 02:18:13 -0000 @@ -972,7 +972,7 @@ SG(request_info).content_length = (content_length ? atoi(content_length) : 0); /* The CGI RFC allows servers to pass on unvalidated Authorization data */ - auth = sapi_cgibin_getenv("HTTP_AUTHORIZATION", sizeof("HTTP_AUTHORIZATION")-1 TSRMLS_CC); + auth = sapi_cgibin_getenv("Authorization", sizeof("Authorization")-1 TSRMLS_CC); php_handle_auth_data(auth TSRMLS_CC); } } -----------------------------Same behaviour with both PHP 4.4.9 & 5.2.0 using Apache 2.2.9. Of course I could patch cgi_main.c but I have an other work-around. I created which is called using the auto_prepend_file feature in php.ini. <?php // maybe we have caught authentication data in $_SERVER['Authorization'] if((!$_SERVER['PHP_AUTH_USER'] || !$_SERVER['PHP_AUTH_USER']) && preg_match('/Basic\s+(.*)$/i', $_SERVER['Authorization'], $matches)) { list($name, $password) = explode(':', base64_decode($matches[1])); $_SERVER['PHP_AUTH_USER'] = strip_tags($name); $_SERVER['PHP_AUTH_PW'] = strip_tags($password); } ?> Works with both PHP 4.4 & 5.2. But it would be very for someone with CVS write access to patch this for newer releases :) The "Authorization" header gets passed from Apache to the fastcgi server because that's exactly what the -pass-header option means :) (allow to pass some headers to FastCGI that aren't supposed to).PHP won't support non-standard headers passed by Apache. mod_fastcgi (or other FastCGI manager) must care about sending proper HTTP_AUTHORIZATION header according to CGI RFC. It is possible to configure Apache to do it using mod_rewrite. RewriteEngine on RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]