PHP :: Bug #67792 :: HTTP Authorization schema names are treated as case-sensitive

Bug #67792

HTTP Authorization schema names are treated as case-sensitive

Submitted:

2014-08-05 18:50 UTC

Modified:

2021-04-23 14:13 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

bcundal at cundal dot net

Assigned:

cmb (profile)

Status:

Closed

Package:

HTTP related

PHP Version:

5.6Git-2014-08-05 (Git)

OS:

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	bcundal at cundal dot net
New email:
PHP Version:		OS:

New/Additional Comment:

[2014-08-05 18:50 UTC] bcundal at cundal dot net

Description:
------------
php_handle_auth_data treats the Authorization scheme (i.e. "Basic" or "Digest") as case-sensitive, but RFC 2617 section 1.2 describes this token as case-insensitive.

All instances of strncmp in php_handle_auth_data should be replaced with strnicmp.

Patches

Add a Patch

Pull Requests

Pull requests:

Fix #67792: HTTP Authorization schemes are treated as case-sensitive (php-src/6900)

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-04-22 16:14 UTC] cmb@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

[2021-04-22 16:14 UTC] cmb@php.net

While RFC 2617 is obsoleted, RFC 7617 explicitly mentions that
"both scheme and parameter names are matched
case-insensitively"[1].  RFC 7616[2] doesn't explicitly specificy
this, but Appendix A descibes the changes from RFC 2617, and
doesn't mention case-(in)sensitivity, so we can assume that
"Digest" also has to be treated case-insensitive.

[1] <https://tools.ietf.org/html/rfc7617#section-2>
[2] <https://tools.ietf.org/html/rfc7616>

[2021-04-22 16:27 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #67792: HTTP Authorization schemes are treated as case-sensitive
On GitHub:  https://github.com/php/php-src/pull/6900
Patch:      https://github.com/php/php-src/pull/6900.patch

[2021-04-23 14:13 UTC] cmb@php.net

-Status: Verified +Status: Closed

[2021-04-23 14:13 UTC] cmb@php.net

Fixed: <https://github.com/php/php-src/commit/39ddf6b89cc5013f6e1ded90a238cd8b610e6597>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 15:01:28 2024 UTC