ID: 43161 Updated by: [EMAIL PROTECTED] Reported By: yarodin at gmail dot com -Status: Open +Status: Bogus Bug Type: HTTP related Operating System: FreeBSD 6.3-PRERELEASE PHP Version: 5.2.4 New Comment:
The reason is to prevent stealing auth session from independent directories on the same host and we won't change anything related to that as safe_mode is being removed with PHP 6. Previous Comments: ------------------------------------------------------------------------ [2007-10-31 11:52:13] yarodin at gmail dot com Description: ------------ I really don't understand how it "If safe mode is enabled, the uid of the script is ADDED to the realm part of the WWW-Authenticate header." increase security. And why this behavior is not optional (without disabling all safe_mode restriction). About other strange behavior of this functionality (for my point of view) see below. Reproduce code: --------------- safe_mode=On / pcre=enabled 1. Example 34.1. Basic HTTP Authentication example from http://www.php.net/manual/en/features.http-auth.php 2. Example 34.2. Digest HTTP Authentication example from http://www.php.net/manual/en/features.http-auth.php Expected result: ---------------- 1. Consider of docs the note "If safe mode is enabled, the uid of the script is ADDED to the realm part of the WWW-Authenticate header." I expect realm=uid My Realm or realm=My Realm uid 2. Digest http auth ;) Actual result: -------------- 1. realm=uid I.e. php REPLACING realm at safe_mode=on with uid of script. 2. Always changed to Basic http auth ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=43161&edit=1
