Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.1.8

Bug #1634 digest auth should use $server['REQUEST_URI'] rather than $server['PHP_SELF'] ?
Submitted: 2004-06-14 09:57 UTC
From: basic at mozdev dot org Assigned: hirokawa
Status: Closed Package: Auth_HTTP
PHP Version: 4.3.6 OS: Gentoo Linux
Roadmaps: (Not assigned)    
Subscription  


 [2004-06-14 09:57 UTC] basic at mozdev dot org
Description: ------------ with digest authentication $server['PHP_SELF'] is used rather than $server['REQUEST_URI']. This cause problems for urls like http://host/path/ which becomes /path/index.php in PHP_SELF and does not match /path/ which was the request uri of the browser, this also causes problems when there is a get string involved. Here's a patch to fix that: http://basic.xullum.net/Auth_HTTP.patch

Comments

 [2004-06-16 22:37 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!
 [2004-06-17 15:11 UTC] basic at mozdev dot org
lets say I have a page called http://domain.com/index.php that uses Auth_HTTP. There are 2 URLs that a user can access this page: http://domain.com/index.php and http://domain.com/. If the user used http://domain.com/index.php, /index.php would be used as the path for the authentication, if the user used http://domain.com/, / would be used as the path for the authentication. If you use PHP_SELF, it would only match the first case and not the second (since PHP_SELF would give /index.php for both). And if there is a get string involved http://domain.com/path/file.php?a=b&c=e , using PHP_SELF would also not work (since PHP_SELF would give /path/file.php and not /path/file.php?a=b&c=e). I'm using Mozilla as my test client. Any code that uses Auth_HTTP with digest authentication and uses something like what I described above would be affected by this issue.
 [2004-06-19 03:09 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!
 [2004-06-19 03:34 UTC] basic at mozdev dot org
I've used Mozilla 1.6/1.7rc, will try with older versions. At any rate using PHP_SELF is still wrong. I suppose you could strip out the get string from the REQUEST_URI for the older browsers? It's needed at least for the /path/index.php case.
 [2004-06-19 04:46 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!