php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67792 HTTP Authorization schema names are treated as case-sensitive
Submitted: 2014-08-05 18:50 UTC Modified: 2021-04-23 14:13 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: bcundal at cundal dot net Assigned: cmb (profile)
Status: Closed Package: HTTP related
PHP Version: 5.6Git-2014-08-05 (Git) OS:
Private report: No CVE-ID: None
 [2014-08-05 18:50 UTC] bcundal at cundal dot net
Description:
------------
php_handle_auth_data treats the Authorization scheme (i.e. "Basic" or "Digest") as case-sensitive, but RFC 2617 section 1.2 describes this token as case-insensitive.

All instances of strncmp in php_handle_auth_data should be replaced with strnicmp.


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-04-22 16:14 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2021-04-22 16:14 UTC] cmb@php.net
While RFC 2617 is obsoleted, RFC 7617 explicitly mentions that
"both scheme and parameter names are matched
case-insensitively"[1].  RFC 7616[2] doesn't explicitly specificy
this, but Appendix A descibes the changes from RFC 2617, and
doesn't mention case-(in)sensitivity, so we can assume that
"Digest" also has to be treated case-insensitive.

[1] <https://tools.ietf.org/html/rfc7617#section-2>
[2] <https://tools.ietf.org/html/rfc7616>
 [2021-04-22 16:27 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #67792: HTTP Authorization schemes are treated as case-sensitive
On GitHub:  https://github.com/php/php-src/pull/6900
Patch:      https://github.com/php/php-src/pull/6900.patch
 [2021-04-23 14:13 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Jun 16 16:01:23 2021 UTC