|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67792 HTTP Authorization schema names are treated as case-sensitive
Submitted: 2014-08-05 18:50 UTC Modified: 2021-04-23 14:13 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: bcundal at cundal dot net Assigned: cmb (profile)
Status: Closed Package: HTTP related
PHP Version: 5.6Git-2014-08-05 (Git) OS:
Private report: No CVE-ID: None
 [2014-08-05 18:50 UTC] bcundal at cundal dot net
php_handle_auth_data treats the Authorization scheme (i.e. "Basic" or "Digest") as case-sensitive, but RFC 2617 section 1.2 describes this token as case-insensitive.

All instances of strncmp in php_handle_auth_data should be replaced with strnicmp.


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-04-22 16:14 UTC]
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2021-04-22 16:14 UTC]
While RFC 2617 is obsoleted, RFC 7617 explicitly mentions that
"both scheme and parameter names are matched
case-insensitively"[1].  RFC 7616[2] doesn't explicitly specificy
this, but Appendix A descibes the changes from RFC 2617, and
doesn't mention case-(in)sensitivity, so we can assume that
"Digest" also has to be treated case-insensitive.

[1] <>
[2] <>
 [2021-04-22 16:27 UTC]
The following pull request has been associated:

Patch Name: Fix #67792: HTTP Authorization schemes are treated as case-sensitive
On GitHub:
 [2021-04-23 14:13 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun May 19 15:01:31 2024 UTC