From 46e61b34483c68636bfc4adfbe7fec7188e4a375 Mon Sep 17 00:00:00 2001 From: Corey Sewell Date: Tue, 17 Mar 2015 12:07:21 +1300 Subject: [PATCH] Check both $_SERVER['HTTP_AUTHORIZATION'] and $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] for HTTP Basic authentication headers --- security/BasicAuth.php | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/security/BasicAuth.php b/security/BasicAuth.php index 43fa47691..38db024df 100644 --- a/security/BasicAuth.php +++ b/security/BasicAuth.php @@ -50,9 +50,19 @@ class BasicAuth { $isRunningTests = (class_exists('SapphireTest', false) && SapphireTest::is_running_test()); if(!Security::database_is_ready() || (Director::is_cli() && !$isRunningTests)) return true; + /* + * Enable HTTP Basic authentication workaround for PHP running in CGI mode with Apache + * Depending on server configuration the auth header may be in HTTP_AUTHORIZATION or + * REDIRECT_HTTP_AUTHORIZATION + * + * The follow rewrite rule must be in the sites .htaccess file to enable this workaround + * RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] + */ + $authHeader = (isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] : + (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) ? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] : null)); $matches = array(); - if (isset($_SERVER['HTTP_AUTHORIZATION']) && - preg_match('/Basic\s+(.*)$/i', $_SERVER['HTTP_AUTHORIZATION'], $matches)) { + if ($authHeader && + preg_match('/Basic\s+(.*)$/i', $authHeader, $matches)) { list($name, $password) = explode(':', base64_decode($matches[1])); $_SERVER['PHP_AUTH_USER'] = strip_tags($name); $_SERVER['PHP_AUTH_PW'] = strip_tags($password);