php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63211 oauth_provider_get_current_HTTPS server variable
Submitted: 2012-10-03 17:18 UTC Modified: 2013-02-18 00:36 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: robert at commonsku dot com Assigned:
Status: No Feedback Package: oauth (PECL)
PHP Version: Irrelevant OS: Ubuntu 12.04
Private report: No CVE-ID: None
 [2012-10-03 17:18 UTC] robert at commonsku dot com
Description:
------------
This bug occurs in version 1.2.3.

The function oauth_provider_get_current_uri in provider.c returns an incorrect 
uri when the $_SERVER['HTTP'] variable is set, but empty.  It interprets this to 
mean that the protocol should be https.

The PHP documentation at http://php.net/manual/en/reserved.variables.server.php 
states that $_SERVER['HTTPS'] is "Set to a non-empty value if the script was 
queried through the HTTPS protocol."

This implies (although not unambiguously) that if $_SERVER['HTTPS'] set, but 
empty, the protocol should be http.

This error occurs for me when I am using nginx and I have the directive:
fastcgi_param HTTPS $https;

The result is that the calculated signature does not match the signature that I 
send.  OAuthProvider::reportProblem() shows that the URI is using the https 
protocol.

The error could be fixed in provider.c (rev 327831) line 438 by checking whether 
the https variable is empty.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-03 18:57 UTC] jawed@php.net
Automatic comment from SVN on behalf of jawed
Revision: http://svn.php.net/viewvc/?view=revision&revision=327864
Log: Bug 63211
 [2012-10-03 18:57 UTC] jawed@php.net
Please try using this snapshot:

  http://snaps.php.net/php-trunk-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

Can you please try trunk?

- JJ
 [2012-10-03 18:57 UTC] jawed@php.net
-Status: Open +Status: Feedback
 [2013-02-18 00:36 UTC] pecl-dev at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 [2013-03-26 13:47 UTC] msamson at fuelyouth dot com
Facing the same issue on nginx + php-fpm.

Debugging the get_current_uri function shoes the https var being empty.

The proposed patch fixed the issue.

Thanks jawed!
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Nov 04 22:01:28 2024 UTC