[HTTPFoundation] fixed stripped HTTP_AUTHORIZATION headers #7649
Conversation
Populating the $server variable passed to the request with apache_request_headers() if available.
| $request = new static($_GET, $_POST, array(), $_COOKIE, $_FILES, $_SERVER); | ||
| $server = $_SERVER; | ||
| if (function_exists('apache_request_headers') && apache_request_headers() !== false) { | ||
| $server = array_merge( |
There was a problem hiding this comment.
Shouldn't it be array_replace as it's a key-value array ?
There was a problem hiding this comment.
Actually, array_merge only behaves different if numeric keys are involved. As all keys should be non-numeric, I can change it to use array_replace if it's a better fit for this situation.
|
I fear that this is slowing down things lot. Looking at the impl, I stumbled about this other PR #3551, which looks like a better approach. |
|
Closing in favor of a documentation update: see symfony/symfony-docs#2529 |
|
@fabpot the documentation update is missing a key point. While php-cgi does not pass the BASIC authentication header, php in general does not pass the BEARER authentication header at all. To get this header accessing the apache native function is required. Is it worth re-discussing this in #19693 (comment) or reopening here? |
|
@andig Please open an issue in the documentation repository if you think we can clarify it. |
I am not 100% sure about this PR. I didn't find a way to add proper tests and I am relying on what my apache looks like and what the issue #7170 told.