#441 HTTP_ENV_VARS used to find REMOTE_USER

User_Authentication
closed
PHP 4.1 (9)
5
2012-10-11
2005-04-05
jpr
No

It seems that the _deduceUsername() function in
lib/main.php is using the HTTP_ENV_VARS[] array to attempt
to determine the REMOTE_USER variable for HTTP based
authentication.

As best I can tell, this code should be be using
HTTP_SERVER_VARS to discover REMOTE_USER. I think
HTTP_ENV_VARS could only contain REMOTE_USER phpwiki
caller set this in the processes environment explicitly. (This
may be true if php is invoked as a CGI or from the command
line. I'm not familiar with this.)

Nonetheless, when phpwiki is run via mod_php,
REMOTE_USER won't be found in HTTP_ENV_VARS.

Diff snippit for lib/main.php from 1.3.10. Seems to be in
current CVS too, though. Interestingly, the SOAP auth
portion of _deduceUsername in CVS includes
HTTP_SERVER_VAR checking for REMOTE_USER.

586,587c586,587
< if (!empty($HTTP_ENV_VARS['REMOTE_USER']))
< return $HTTP_ENV_VARS['REMOTE_USER'];


    if (!empty($HTTP_SERVER_VARS['REMOTE_USER'])) 
        return $HTTP_SERVER_VARS['REMOTE_USER'];

Discussion

  • jpr

    jpr - 2005-04-05

    Logged In: YES
    user_id=1246014

    This link describes PHP's predefined variables in this context:

    http://us3.php.net/reserved.variables

     
  • Reini Urban

    Reini Urban - 2005-04-06

    Logged In: YES
    user_id=13755

    We are doing _ENV checks after checking _SERVER for legacy
    reasons. Older PHP's didn't populate _SERVER from _ENV with CGI.

    This piece of code is only triggered by a very old PHP as
    CGI. Everything else is caught earlier by
    if (!empty($HTTP_SERVER_VARS['PHP_AUTH_USER']))
    return $HTTP_SERVER_VARS['PHP_AUTH_USER'];

    Sorry I don't know the exact php version when this was fixed.

     
  • jpr

    jpr - 2005-04-06

    Logged In: YES
    user_id=1246014

    I can understand the need to be backward compatible. I wasn't
    aware of the older mis-feature in PHP. Nonetheless, I think
    HTTP_SERVER_VARS should still be checked along with these
    other arrays.

    From tests I've done it seems that PHP_AUTH_USER will only be
    set reliably if the wiki code itself manages the HTTP
    authentication, ie. returns the 301 msg.

    There are Apache auth modules that don't set PHP_AUTH_USER,
    relying exclusively on REMOTE_USER. Pubcookie
    (http://pubcookie.org) is an example of such an authn module. It's
    use is desirable for integration with external identity systems and
    because it offers secure, central authentication. In order to
    support these modules, REMOTE_USER should also be checked.

    http://docs.php.net/en/features.http-auth.html

    I've always found this document's wording subtle and confusing. It
    says that you can allow PHP code to manage the authn with the
    header() function only when it's a module, i.e only when it could
    take full control for content exchange with the client. In this case
    mod_php becomes responsible for structuring the
    HTTP_SERVER_VARS and can load PHP_AUTH_USER.
    In cases where you rely exclusively on Apache's auth mechanism,
    these variables would have to be set by that authn mechanism.

    I think it would be worth checking both to handle either case. :)

    Thanks for the consideration.

     
  • Reini Urban

    Reini Urban - 2005-04-07

    Logged In: YES
    user_id=13755

    Ok, I've checked in a fix to honor $_SERVER['REMOTE_USER'] also

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks