Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.1.8

Bug #1634 digest auth should use $server['REQUEST_URI'] rather than $server['PHP_SELF'] ?
Submitted: 2004-06-14 04:57 UTC Modified: 2004-06-18 23:46 UTC
From: basic at mozdev dot org Assigned: hirokawa
Status: Closed Package: Auth_HTTP
PHP Version: 4.3.6 OS: Gentoo Linux
Roadmaps: (Not assigned)    
Subscription  


 [2004-06-14 04:57 UTC] basic at mozdev dot org
Description: ------------ with digest authentication $server['PHP_SELF'] is used rather than $server['REQUEST_URI']. This cause problems for urls like http://host/path/ which becomes /path/index.php in PHP_SELF and does not match /path/ which was the request uri of the browser, this also causes problems when there is a get string involved. Here's a patch to fix that: http://basic.xullum.net/Auth_HTTP.patch

Comments

 [2004-06-16 17:37 UTC] hirokawa
Could you show me the detail of your problem such as browser/os your are using, reproducable short script code ?
 [2004-06-17 10:11 UTC] basic at mozdev dot org
lets say I have a page called http://domain.com/index.php that uses Auth_HTTP. There are 2 URLs that a user can access this page: http://domain.com/index.php and http://domain.com/. If the user used http://domain.com/index.php, /index.php would be used as the path for the authentication, if the user used http://domain.com/, / would be used as the path for the authentication. If you use PHP_SELF, it would only match the first case and not the second (since PHP_SELF would give /index.php for both). And if there is a get string involved http://domain.com/path/file.php?a=b&c=e , using PHP_SELF would also not work (since PHP_SELF would give /path/file.php and not /path/file.php?a=b&c=e). I'm using Mozilla as my test client. Any code that uses Auth_HTTP with digest authentication and uses something like what I described above would be affected by this issue.
 [2004-06-18 22:09 UTC] hirokawa
You shoud know that the HTTP Digest Authentication is depends on the browsers. For the newest version of Mozilla, you are right, we must include the GET parameters into the URI. But, for MSIE and the older version of Mozilla/Firefox, the GET parameters should not be included, we must use PHP_SELF instead of REQUEST_URI. What version of Mozilla are you using ? Can you test with some another browser such as MSIE ? I should implement the browser detection and some conditional block for the different implementation into Auth_HTTP.
 [2004-06-18 22:34 UTC] basic at mozdev dot org
I've used Mozilla 1.6/1.7rc, will try with older versions. At any rate using PHP_SELF is still wrong. I suppose you could strip out the get string from the REQUEST_URI for the older browsers? It's needed at least for the /path/index.php case.
 [2004-06-18 23:46 UTC] hirokawa
This bug has been fixed in CVS. In case this was a documentation problem, the fix will show up at the end of next Sunday (CET) on pear.php.net. In case this was a pear.php.net website problem, the change will show up on the website in short time. Thank you for the report, and for helping us make PEAR better. I added a new method selfURI(). For MSIE, the query string will be removed in this method. For another browser, REQUEST_URI will be returned.