|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2009-01-15 19:23 UTC] jani@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri May 09 19:01:28 2025 UTC |
Description: ------------ If you create a directory with a .htaccess and a .htpassword inside (and Apache2 correctly configured), and you create a .php file with the next code: <?php $user = $_SERVER['PHP_AUTH_USER']; $pass = $_SERVER['PHP_AUTH_PW']; $validated = ($user=="user") && (($pass) == "pass"); if (!$validated) { header('WWW-Authenticate: Basic realm="Realm"'); header('HTTP/1.0 401 Unauthorized'); die ("Authentification failed."); } ?> In the second authetification the browser will start loading the page waiting for response. Looking at the apache's error log it will show an "user not found" error. I've tried it with PHP 5.2.6 and PHP 5.2.7 . Reproduce code: --------------- <?php //Remember to create .htaccess and .htpasswd $user = $_SERVER['PHP_AUTH_USER']; $pass = $_SERVER['PHP_AUTH_PW']; $validated = ($user=="user") && (($pass) == "pass"); if (!$validated) { header('WWW-Authenticate: Basic realm="Realm"'); header('HTTP/1.0 401 Unauthorized'); die ("Authentification failed."); } ?> Expected result: ---------------- Resources comsuption, maybe DOS. Actual result: -------------- Very high memory load.