You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by David Begley <d....@uws.edu.au> on 2001/11/08 11:59:57 UTC
general/8711: HTTP authentication variables not propogated to Action scripts
>Number: 8711
>Category: general
>Synopsis: HTTP authentication variables not propogated to Action scripts
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: apache
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Thu Nov 08 03:00:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: d.begley@uws.edu.au
>Release: 2.0
>Organization:
apache
>Environment:
Operating System:
Sun Solaris 2.7 (SPARC)
Compiler:
GNU CC (gcc) 2.8.1
Additional Third-Party Apache Modules:
(none)
Additional Software:
PHP/4.0.6 (using the CGI interface)
>Description:
The HTTP authentication variables usually seen by CGI scripts, namely AUTH_TYPE
and REMOTE_USER, are not being propogated to "Action" scripts even though they
are working for regular CGI scripts. Tested a number of Apache versions to
check this, each using an identical httpd.conf/.htaccess environment:
Apache/1.3.22 (Unix) - works for both CGI and Action
Apache/2.0.16 (Unix) - works for CGI, Action fails
Apache/2.0.27 (Unix) - works for CGI, Action fails
With each of these versions, if you call the standard "test-cgi" CGI shell
script after configuring Apache to authenticate access to the script, the
variables REMOTE_USER and AUTH_TYPE are clearly visible. If you call a PHP
script that prints these variables when PHP runs as an Action (see below),
Apache/1.3.22 works but both Apache 2.0.x versions fail.
Further, access_log shows the authenticated user for each request under 1.3.22
but under both 2.0.x versions there is no user ID logged; again, this is using
an identical httpd.conf/.htaccess configuration.
The action is configured simply as per:
Action application/x-httpd-php /cgi-bin/phpwrap
PHPWrap is a shell script that dumps all environment variables prior to exec'g
PHP proper - this was done to see if the problem was PHP's or Apache's; it is
clear from this that the problem is Apache's as the REMOTE_USER and AUTH_TYPE
variables are never passed to PHP under 2.0.x but work under 1.3.22.
Unfortunately with both REMOTE_USER and AUTH_TYPE missing, a number of Web
applications written using HTTP authentication all fail to operate, making
this a critical fault (certainly before Apache 2.0 goes "production" anyway).
>How-To-Repeat:
Configure PHP to use the CGI interface, configure Apache to call PHP using an
"Action" then try running a few regular CGI scripts versus PHP scripts when
authenticated - REMOTE_USER and AUTH_TYPE appear for the regular CGI scripts
but never appear (and no user details are logged) for the Action-driven
scripts.
>Fix:
Unfortunately not; I've had a quick look at the 2.0.16 source code and there
does not appear to be any major difference between how REMOTE_ADDR and
REMOTE_USER are handled, yet REMOTE_ADDR is present for all scripts and has no
problems - clearly the problem is more fundamental and requires a more
intimate knowledge of Apache 2.0 internals.
>Release-Note:
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]