tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

BUG Fix basic auth in PHP-CGI

Browse Source 
Fixes #7717
This commit is contained in:
Damian Mooyman 2017-12-21 09:50:14 +13:00
parent 7e4ff1fb90
commit f885101a1b
No known key found for this signature in database
GPG Key ID: 78B823A10DE27D1A
2 changed files with 36 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/Control/HTTPRequestBuilder.php
View File

@ -99,19 +99,23 @@ class HTTPRequestBuilder
$headers['Content-Length'] = $server['CONTENT_LENGTH']; $headers['Content-Length'] = $server['CONTENT_LENGTH'];
} }
// Enable HTTP Basic authentication workaround for PHP running in CGI mode with Apache
// Depending on server configuration the auth header may be in HTTP_AUTHORIZATION or
// REDIRECT_HTTP_AUTHORIZATION
$authHeader = null;
if (isset($headers['Authorization'])) {
$authHeader = $headers['Authorization'];
} elseif (isset($server['REDIRECT_HTTP_AUTHORIZATION'])) {
$authHeader = $server['REDIRECT_HTTP_AUTHORIZATION'];
}
// Ensure basic auth is available via headers // Ensure basic auth is available via headers
if (isset($server['PHP_AUTH_USER']) && isset($server['PHP_AUTH_PW'])) { if (isset($server['PHP_AUTH_USER']) && isset($server['PHP_AUTH_PW'])) {
// Shift PHP_AUTH_* into headers so they are available via request // Shift PHP_AUTH_* into headers so they are available via request
$headers['PHP_AUTH_USER'] = $server['PHP_AUTH_USER']; $headers['PHP_AUTH_USER'] = $server['PHP_AUTH_USER'];
$headers['PHP_AUTH_PW'] = $server['PHP_AUTH_PW']; $headers['PHP_AUTH_PW'] = $server['PHP_AUTH_PW'];
} elseif (!empty($headers['Authorization']) && preg_match('/Basic\s+(.*)$/i', $headers['Authorization'], $matches)) { } elseif ($authHeader && preg_match('/Basic\s+(?<token>.*)$/i', $authHeader, $matches)) {
// Enable HTTP Basic authentication workaround for PHP running in CGI mode with Apache list($name, $password) = explode(':', base64_decode($matches['token']));
// Depending on server configuration the auth header may be in HTTP_AUTHORIZATION or
// REDIRECT_HTTP_AUTHORIZATION
//
// The follow rewrite rule must be in the sites .htaccess file to enable this workaround
// RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
list($name, $password) = explode(':', base64_decode($matches[1]));
$headers['PHP_AUTH_USER'] = $name; $headers['PHP_AUTH_USER'] = $name;
$headers['PHP_AUTH_PW'] = $password; $headers['PHP_AUTH_PW'] = $password;
} }

25
tests/php/Control/HTTPRequestBuilderTest.php
View File

@ -52,7 +52,6 @@ class HTTPRequestBuilderTest extends SapphireTest
]; ];
$this->assertEquals($headers, HTTPRequestBuilder::extractRequestHeaders($request)); $this->assertEquals($headers, HTTPRequestBuilder::extractRequestHeaders($request));
$request = [ $request = [
'PHP_AUTH_USER' => 'admin', 'PHP_AUTH_USER' => 'admin',
'PHP_AUTH_PW' => 'password', 'PHP_AUTH_PW' => 'password',
@ -62,5 +61,29 @@ class HTTPRequestBuilderTest extends SapphireTest
'PHP_AUTH_PW' => 'password', 'PHP_AUTH_PW' => 'password',
]; ];
$this->assertEquals($headers, HTTPRequestBuilder::extractRequestHeaders($request)); $this->assertEquals($headers, HTTPRequestBuilder::extractRequestHeaders($request));
$request = [
'REDIRECT_HTTP_AUTHORIZATION' => 'Basic YWRtaW46cGFzc3dvcmQ=',
];
$headers = [
'PHP_AUTH_USER' => 'admin',
'PHP_AUTH_PW' => 'password',
];
$this->assertEquals($headers, HTTPRequestBuilder::extractRequestHeaders($request));
$request = [
'HTTP_AUTHORIZATION' => 'Basic YWRtaW46cGFzc3dvcmQ=',
'REDIRECT_HTTP_AUTHORIZATION' => 'Basic dXNlcjphdXRo=',
];
$headers = [
'PHP_AUTH_USER' => 'admin',
'PHP_AUTH_PW' => 'password',
'Authorization' => 'Basic YWRtaW46cGFzc3dvcmQ=',
];
$this->assertEquals(
$headers,
HTTPRequestBuilder::extractRequestHeaders($request),
'Prefer HTTP_AUTHORIZATION over REDIRECT_HTTP_AUTHORIZATION'
);
} }
} }