www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Begley <d.beg...@uws.edu.au>
Subject general/8711: HTTP authentication variables not propogated to Action scripts
Date Thu, 08 Nov 2001 10:59:57 GMT

>Number:         8711
>Category:       general
>Synopsis:       HTTP authentication variables not propogated to Action scripts
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Nov 08 03:00:00 PST 2001
>Originator:     d.begley@uws.edu.au
>Release:        2.0
Operating System:
  Sun Solaris 2.7 (SPARC)
  GNU CC (gcc) 2.8.1
Additional Third-Party Apache Modules:
Additional Software:
  PHP/4.0.6 (using the CGI interface)
The HTTP authentication variables usually seen by CGI scripts, namely AUTH_TYPE
and REMOTE_USER, are not being propogated to "Action" scripts even though they
are working for regular CGI scripts.  Tested a number of Apache versions to
check this, each using an identical httpd.conf/.htaccess environment:

  Apache/1.3.22 (Unix) - works for both CGI and Action
  Apache/2.0.16 (Unix) - works for CGI, Action fails
  Apache/2.0.27 (Unix) - works for CGI, Action fails

With each of these versions, if you call the standard "test-cgi" CGI shell
script after configuring Apache to authenticate access to the script, the
variables REMOTE_USER and AUTH_TYPE are clearly visible.  If you call a PHP
script that prints these variables when PHP runs as an Action (see below),
Apache/1.3.22 works but both Apache 2.0.x versions fail.

Further, access_log shows the authenticated user for each request under 1.3.22
but under both 2.0.x versions there is no user ID logged;  again, this is using
an identical httpd.conf/.htaccess configuration.

The action is configured simply as per:

Action application/x-httpd-php /cgi-bin/phpwrap

PHPWrap is a shell script that dumps all environment variables prior to exec'g
PHP proper - this was done to see if the problem was PHP's or Apache's;  it is
clear from this that the problem is Apache's as the REMOTE_USER and AUTH_TYPE
variables are never passed to PHP under 2.0.x but work under 1.3.22.

Unfortunately with both REMOTE_USER and AUTH_TYPE missing, a number of Web
applications written using HTTP authentication all fail to operate, making
this a critical fault (certainly before Apache 2.0 goes "production" anyway).
Configure PHP to use the CGI interface, configure Apache to call PHP using an
"Action" then try running a few regular CGI scripts versus PHP scripts when
authenticated - REMOTE_USER and AUTH_TYPE appear for the regular CGI scripts
but never appear (and no user details are logged) for the Action-driven
Unfortunately not;  I've had a quick look at the 2.0.16 source code and there
does not appear to be any major difference between how REMOTE_ADDR and
REMOTE_USER are handled, yet REMOTE_ADDR is present for all scripts and has no
problems - clearly the problem is more fundamental and requires a more
intimate knowledge of Apache 2.0 internals.
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]

View raw message