From: yarodin at gmail dot com Operating system: FreeBSD 6.3-PRERELEASE PHP version: 5.2.4 PHP Bug Type: HTTP related Bug description: WWW-Authenticate and safe_mode
Description: ------------ I really don't understand how it "If safe mode is enabled, the uid of the script is ADDED to the realm part of the WWW-Authenticate header." increase security. And why this behavior is not optional (without disabling all safe_mode restriction). About other strange behavior of this functionality (for my point of view) see below. Reproduce code: --------------- safe_mode=On / pcre=enabled 1. Example 34.1. Basic HTTP Authentication example from http://www.php.net/manual/en/features.http-auth.php 2. Example 34.2. Digest HTTP Authentication example from http://www.php.net/manual/en/features.http-auth.php Expected result: ---------------- 1. Consider of docs the note "If safe mode is enabled, the uid of the script is ADDED to the realm part of the WWW-Authenticate header." I expect realm=uid My Realm or realm=My Realm uid 2. Digest http auth ;) Actual result: -------------- 1. realm=uid I.e. php REPLACING realm at safe_mode=on with uid of script. 2. Always changed to Basic http auth -- Edit bug report at http://bugs.php.net/?id=43161&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=43161&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=43161&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=43161&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=43161&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=43161&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=43161&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=43161&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=43161&r=needscript Try newer version: http://bugs.php.net/fix.php?id=43161&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=43161&r=support Expected behavior: http://bugs.php.net/fix.php?id=43161&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=43161&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=43161&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=43161&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=43161&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=43161&r=dst IIS Stability: http://bugs.php.net/fix.php?id=43161&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=43161&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=43161&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=43161&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=43161&r=mysqlcfg
