Justtechjobs.com Find a programming school near you






Online Campus Both


php-developer-list | 2002112

[PHP-DEV] Re: #20461 [Opn->Bgs]: Unable to access $PHP_AUTH_USER or $PHP_AUTH_PW From: Rasmus Lerdorf (rasmus <email protected>)
Date: 11/18/02

I'm still not overly convinced that this isn't a restriction that should
only kick in when safe_mode or open_basedir is active. This change is
going to break working code and it is not a security fix on non-shared
servers.

-Rasmus

On 18 Nov 2002 sniper <email protected> wrote:

> ID: 20461
> Updated by: sniper <email protected>
> Reported By: shawn <email protected>
> -Status: Open
> +Status: Bogus
> Bug Type: Apache related
> Operating System: Linux 2.4.8
> PHP Version: 4CVS-2002-11-17
> New Comment:
>
> Then that is an external auth mechanism and means this
> is not a bug in PHP:
>
> From: http://www.php.net/manual/en/features.http-auth.php
>
> "In order to prevent someone from writing a script which
> reveals the password for a page that was authenticated
> through a traditional external mechanism, the
> PHP_AUTH variables will not be set if external
> authentication is enabled for that particular page. In this
> case, REMOTE_USER can be used to identify the
> externally-authenticated user. So, $_SERVER['REMOTE_USER'].
>
> Configuration Note: PHP uses the presence of an AuthType
> directive to determine whether external authentication is in
> effect. Remember to avoid this directive for the context
> where you want to use PHP authentication (otherwise each
> authentication attempt will fail).
> "
>
> There was a bug in previous PHP 4 versions which let the
> external authenticated usernames and passwords to be revealed for
> scripts. This is fixed in PHP 4.3.0.
>
> (btw. you really should upgrade your apache to 1.3.27! And forget
> Apache2, it really is not ready for production use)
>
>
>
>
> Previous Comments:
> ------------------------------------------------------------------------
>
> [2002-11-17 22:45:43] shawn <email protected>
>
> forgot to answer your other question.. using apache 1.3.20 -- been
> wanting to upgrade to 2.0 but have had a whole different set of
> problems w/ that, so taking things one step at a time...
>
> ------------------------------------------------------------------------
>
> [2002-11-17 22:43:25] shawn <email protected>
>
> tried using $_SERVER already, no dice.
>
> i meant using the mod_auth module in apache to protect certain
> directories.. when those directories are accessed, the browser pops up
> a window for the user to enter in their username/password for that
> resource...
>
> ------------------------------------------------------------------------
>
> [2002-11-17 22:23:00] sniper <email protected>
>
> I can not reproduce this, it works fine here.
> Try accessing the variables through $_SERVER variable:
>
> $_SERVER['PHP_AUTH_USER']
> $_SERVER['PHP_AUTH_PW']
>
> And what Apache version are you using?
> What do you mean with "regular http authentication through apache" ??
>
>
> ------------------------------------------------------------------------
>
> [2002-11-17 22:09:27] shawn <email protected>
>
> not using any external auth... simply using regular http authentication
> through apache... certain directories on the webserver are protected,
> and so it pops up the box asking the user for username/password.. and
> then rather then ask them AGAIN for a login for some of my web-based
> apps, i simply pass the http auth info (via $PHP_AUTH_USER and
> $PHP_AUTH_PW) along to these apps. the only problem is, those 2
> variables don't seem to exist anymore for me. nothing has changed in
> my configuration except for the fact that i'm now using the cvs version
> of php as opposed to 4.2.3 (if you read in my original bug report it
> explains why).
>
> ------------------------------------------------------------------------
>
> [2002-11-17 20:13:05] sniper <email protected>
>
> Are you using some external auth mechanism?
>
>
> ------------------------------------------------------------------------
>
> The remainder of the comments for this report are too long. To view
> the rest of the comments, please view the bug report online at
> http://bugs.php.net/20461
>
> --
> Edit this bug report at http://bugs.php.net/?id=20461&edit=1
> 

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php