Justtechjobs.com Find a programming school near you






Online Campus Both


php-developer-list | 2002112

Re: [PHP-DEV] Re: #20461 [Opn->Bgs]: Unable to access $PHP_AUTH_USER or $PHP_AUTH_PW From: Derick Rethans (derick <email protected>)
Date: 11/18/02

On Sun, 17 Nov 2002, Rasmus Lerdorf wrote:

> I'm still not overly convinced that this isn't a restriction that should
> only kick in when safe_mode or open_basedir is active. This change is
> going to break working code and it is not a security fix on non-shared
> servers.

True, but it was clearly documented that it shouldn't work. Do we really
have to make a feature out of every bug? I'd say no...

Derick

> > ID: 20461
> > Updated by: sniper <email protected>
> > Reported By: shawn <email protected>
> > -Status: Open
> > +Status: Bogus
> > Bug Type: Apache related
> > Operating System: Linux 2.4.8
> > PHP Version: 4CVS-2002-11-17
> > New Comment:
> >
> > Then that is an external auth mechanism and means this
> > is not a bug in PHP:
> >
> > From: http://www.php.net/manual/en/features.http-auth.php
> >
> > "In order to prevent someone from writing a script which
> > reveals the password for a page that was authenticated
> > through a traditional external mechanism, the
> > PHP_AUTH variables will not be set if external
> > authentication is enabled for that particular page. In this
> > case, REMOTE_USER can be used to identify the
> > externally-authenticated user. So, $_SERVER['REMOTE_USER'].
> >
> > Configuration Note: PHP uses the presence of an AuthType
> > directive to determine whether external authentication is in
> > effect. Remember to avoid this directive for the context
> > where you want to use PHP authentication (otherwise each
> > authentication attempt will fail).
> > "
> >
> > There was a bug in previous PHP 4 versions which let the
> > external authenticated usernames and passwords to be revealed for
> > scripts. This is fixed in PHP 4.3.0.
> >
> > (btw. you really should upgrade your apache to 1.3.27! And forget
> > Apache2, it really is not ready for production use)
> >
> >
> >
> >
> > Previous Comments:
> > ------------------------------------------------------------------------
> >
> > [2002-11-17 22:45:43] shawn <email protected>
> >
> > forgot to answer your other question.. using apache 1.3.20 -- been
> > wanting to upgrade to 2.0 but have had a whole different set of
> > problems w/ that, so taking things one step at a time...
> >
> > ------------------------------------------------------------------------
> >
> > [2002-11-17 22:43:25] shawn <email protected>
> >
> > tried using $_SERVER already, no dice.
> >
> > i meant using the mod_auth module in apache to protect certain
> > directories.. when those directories are accessed, the browser pops up
> > a window for the user to enter in their username/password for that
> > resource...
> >
> > ------------------------------------------------------------------------
> >
> > [2002-11-17 22:23:00] sniper <email protected>
> >
> > I can not reproduce this, it works fine here.
> > Try accessing the variables through $_SERVER variable:
> >
> > $_SERVER['PHP_AUTH_USER']
> > $_SERVER['PHP_AUTH_PW']
> >
> > And what Apache version are you using?
> > What do you mean with "regular http authentication through apache" ??
> >
> >
> > ------------------------------------------------------------------------
> >
> > [2002-11-17 22:09:27] shawn <email protected>
> >
> > not using any external auth... simply using regular http authentication
> > through apache... certain directories on the webserver are protected,
> > and so it pops up the box asking the user for username/password.. and
> > then rather then ask them AGAIN for a login for some of my web-based
> > apps, i simply pass the http auth info (via $PHP_AUTH_USER and
> > $PHP_AUTH_PW) along to these apps. the only problem is, those 2
> > variables don't seem to exist anymore for me. nothing has changed in
> > my configuration except for the fact that i'm now using the cvs version
> > of php as opposed to 4.2.3 (if you read in my original bug report it
> > explains why).
> >
> > ------------------------------------------------------------------------
> >
> > [2002-11-17 20:13:05] sniper <email protected>
> >
> > Are you using some external auth mechanism?
> >
> >
> > ------------------------------------------------------------------------
> >
> > The remainder of the comments for this report are too long. To view
> > the rest of the comments, please view the bug report online at
> > http://bugs.php.net/20461
> >
> > --
> > Edit this bug report at http://bugs.php.net/?id=20461&edit=1
> >
>
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, visit: http://www.php.net/unsub.php
> 

-- 

---------------------------------------------------------------------------
 Derick Rethans                                   http://derickrethans.nl/ 
 JDI Media Solutions
--------------[ if you hold a unix shell to your ear, do you hear the c? ]-

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php