php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #43161 WWW-Authenticate and safe_mode
Submitted: 2007-10-31 11:52 UTC Modified: 2007-10-31 12:44 UTC
From: yarodin at gmail dot com Assigned:
Status: Not a bug Package: HTTP related
PHP Version: 5.2.4 OS: FreeBSD 6.3-PRERELEASE
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: yarodin at gmail dot com
New email:
PHP Version: OS:

 

 [2007-10-31 11:52 UTC] yarodin at gmail dot com 
Description:
------------
I really don't understand how it "If safe mode is enabled, the uid of the script is ADDED to the realm part of the WWW-Authenticate header." increase security. And why this behavior is not optional (without disabling all safe_mode restriction).

About other strange behavior of this functionality (for my point of view) see below.



Reproduce code:
---------------
safe_mode=On / pcre=enabled

1. Example 34.1. Basic HTTP Authentication example from http://www.php.net/manual/en/features.http-auth.php

2. Example 34.2. Digest HTTP Authentication example from http://www.php.net/manual/en/features.http-auth.php

Expected result:
----------------
1. Consider of docs the note "If safe mode is enabled, the uid of the script is ADDED to the realm part of the WWW-Authenticate header." I expect realm=uid My Realm or realm=My Realm uid


2. Digest http auth ;)

Actual result:
--------------
1. realm=uid
I.e. php REPLACING realm at safe_mode=on with uid of script.

2. Always changed to Basic http auth

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-31 12:44 UTC] johannes@php.net 
The reason is to prevent stealing auth session from independent directories on the same host and we won't change anything related to that as safe_mode is being removed with PHP 6.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 14:01:31 2024 UTC