[HttpFoundation] HTTP Basic authentication is broken with php-cgi under Apache #3551
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
||
| // Decode AUTHORIZATION header into PHP_AUTH_USER and PHP_AUTH_PW | ||
| if ($authorization_header && (!isset($this->parameters['PHP_AUTH_USER']) || !isset($this->parameters['PHP_AUTH_PW']))) { | ||
| list($this->parameters['PHP_AUTH_USER'], $this->parameters['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($authorization_header, 6))); |
There was a problem hiding this comment.
the indentation should use 4 spaces, not 8
and instead modifying $this->parameters, I would modify $parameters before calling the parent constructor
There was a problem hiding this comment.
you should also use camelCase variable names ($authorizationHeader instead of $authorization_header).
|
you should also add a unit test for this |
|
Thanks for the feedback, I committed the changes. |
| @@ -19,6 +19,26 @@ | |||
| */ | |||
| class ServerBag extends ParameterBag | |||
| { | |||
| public function __construct(array $parameters = array()) | |||
| { | |||
| $authorizationHeader = null; | |||
|
@fabpot could you review it ? |
|
My comments:
|
|
A quick note on that .htaccess/apache configuration required, if adding to the Symfony SE htaccess file, then it will need to look like this: NOTE: No ,L in the Authorization Rewrite as in the original example - it prevents the front controller rewrite from happening |
| } | ||
|
|
||
| // Decode AUTHORIZATION header into PHP_AUTH_USER and PHP_AUTH_PW | ||
| if ($authorizationHeader) { |
There was a problem hiding this comment.
Sf standard would be to use null !== when testing $authorizationHeader
|
ok, so is my PR is useless or should I still fix problems? |
|
your PR is fine for sure and I don't want to interfere, just wanted to mention that part of the bug hunt day of Symfony I had a go at this PR as an "exercise" but just saw later on that you already fixed the problem, so you can ignore my pushes |
|
I have been working with @towards: your PR is useful, please implement his comments and squash your PR. |
…fastCGI under Apache Bug fix: yes Feature addition: no Backwards compatibility break: no Symfony2 tests pass: yes Fixes the following tickets: symfony#1813 Todo: - In order to work, add this to the .htaccess: RewriteEngine on RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ app.php [QSA,L]
|
never squashed before, is it okay now? :) |
|
it is |
|
@fabpot this should be ready to be merged |
fabpot
added a commit
that referenced
this pull request
May 21, 2012
Commits ------- a450d00 [HttpFoundation] HTTP Basic authentication is broken with PHP as cgi/fastCGI under Apache Discussion ---------- [HttpFoundation] HTTP Basic authentication is broken with php-cgi under Apache Bug fix: yes Feature addition: no Backwards compatibility break: no Symfony2 tests pass: yes Fixes the following tickets: #1813 Todo: - In order to work, add this to the .htaccess: RewriteEngine on RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ app.php [QSA,L] --------------------------------------------------------------------------- by stof at 2012-03-10T17:34:26Z you should also add a unit test for this --------------------------------------------------------------------------- by kepten at 2012-03-11T15:34:04Z Thanks for the feedback, I committed the changes. --------------------------------------------------------------------------- by stof at 2012-04-04T01:59:53Z @fabpot could you review it ? --------------------------------------------------------------------------- by fabpot at 2012-04-04T07:15:34Z My comments: * `ServerBag` represents what we have in the `$_SERVER` global variables. As such, the code should be moved to the `getHeaders()` method instead like the other tweaks we do for the HTTP headers. * A comment must be added explaining why this is needed and the configuration the user must have to make it work (then remove the Github URLs). * The code should only be executed when `PHP_AUTH_USER` is not available (to not have any overhead when not needed). --------------------------------------------------------------------------- by danielholmes at 2012-04-14T13:27:09Z A quick note on that .htaccess/apache configuration required, if adding to the Symfony SE htaccess file, then it will need to look like this: ``` <IfModule mod_rewrite.c> RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ app.php [QSA,L] </IfModule> ``` NOTE: No **,L** in the Authorization Rewrite as in the original example - it prevents the front controller rewrite from happening --------------------------------------------------------------------------- by towards at 2012-04-20T16:12:49Z @kepten you were faster than me applying @fabpot's comments :) nevertheless part of the bug hunt day I also modified the ServerBag class and tested them on a productive LAMP hosting server using Apache and FastCGI --------------------------------------------------------------------------- by kepten at 2012-04-20T16:15:57Z ok, so is my PR is useless or should I still fix problems? --------------------------------------------------------------------------- by towards at 2012-04-20T16:20:26Z your PR is fine for sure and I don't want to interfere, just wanted to mention that part of the bug hunt day of Symfony I had a go at this PR as an "exercise" but just saw later on that you already fixed the problem, so you can ignore my pushes --------------------------------------------------------------------------- by vicb at 2012-04-20T16:20:36Z I have been working with @towards: your PR is useful, please implement his comments and squash your PR. --------------------------------------------------------------------------- by kepten at 2012-04-20T16:59:07Z never squashed before, is it okay now? :) --------------------------------------------------------------------------- by stof at 2012-04-20T17:21:07Z it is --------------------------------------------------------------------------- by vicb at 2012-05-20T19:57:51Z @fabpot this should be ready to be merged
This was referenced Apr 20, 2013
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bug fix: yes
Feature addition: no
Backwards compatibility break: no
Symfony2 tests pass: yes
Fixes the following tickets: #1813
Todo: -
In order to work, add this to the .htaccess:
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ app.php [QSA,L]