tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

Add detection for PHP running in CGI mode and add HTTP_AUTHORIZATION rewrite rule

Browse Source 
Detect and parse HTTP_AUTHORIZATION for basic authentication running PHP in CGI mode
Add comments about using CGI mode with Apache and Basic Auth in /docs/en/topics/environment-management.md
Added notes  to docs/en/changelogs/3.1.9.md
This commit is contained in:
Corey Sewell 2014-11-28 08:34:55 +13:00 committed by Corey Sewell
parent 3b3478136d
commit fbebf96d66
4 changed files with 51 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
dev/install/install.php5
View File

@ -1494,6 +1494,8 @@ HTML;
if($base != '.') $baseClause = "RewriteBase '$base'\n"; if($base != '.') $baseClause = "RewriteBase '$base'\n";
else $baseClause = ""; else $baseClause = "";
if(strpos(strtolower(php_sapi_name()), "cgi") !== false) $cgiClause = "RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]\n";
else $cgiClause = "";
$modulePath = FRAMEWORK_NAME; $modulePath = FRAMEWORK_NAME;
$rewrite = <<<TEXT $rewrite = <<<TEXT
# Deny access to templates (but allow from localhost) # Deny access to templates (but allow from localhost)
@ -1523,6 +1525,7 @@ ErrorDocument 500 /assets/error-500.html
SetEnv HTTP_MOD_REWRITE On SetEnv HTTP_MOD_REWRITE On
RewriteEngine On RewriteEngine On
$baseClause $baseClause
$cgiClause
# Deny access to potentially sensitive files and folders # Deny access to potentially sensitive files and folders
RewriteRule ^vendor(/|$) - [F,L,NC] RewriteRule ^vendor(/|$) - [F,L,NC]

14
docs/en/changelogs/3.1.9.md Normal file
View File

@ -0,0 +1,14 @@
# 3.1.9
# Overview
This release replaces the 3.1.8 release, and resolves an issue where basic authentication would not work when PHP is running under CGI mode with Apache.
## Upgrading
* Add the rule ``` RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]``` to the .htacces file in your sites root directory after the line ```RewriteEngine On```.
### Bugfixes
## Changelog

2
docs/en/topics/environment-management.md
View File

@ -119,7 +119,7 @@ This is my `_ss_environment.php` file. I have it placed in `/var`, as each of th
| `SS_ENVIRONMENT_TYPE`| The environment type: dev, test or live.| | `SS_ENVIRONMENT_TYPE`| The environment type: dev, test or live.|
| `SS_DEFAULT_ADMIN_USERNAME`| The username of the default admin. This is a user with administrative privileges.| | `SS_DEFAULT_ADMIN_USERNAME`| The username of the default admin. This is a user with administrative privileges.|
| `SS_DEFAULT_ADMIN_PASSWORD`| The password of the default admin. This will not be stored in the database.| | `SS_DEFAULT_ADMIN_PASSWORD`| The password of the default admin. This will not be stored in the database.|
| `SS_USE_BASIC_AUTH`| Protect the site with basic auth (good for test sites)| | `SS_USE_BASIC_AUTH`| Protect the site with basic auth (good for test sites).<br/>When using CGI/FastCGI with Apache, you will have to add the `RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]` rewrite rule to your `.htaccess` file|
| `SS_SEND_ALL_EMAILS_TO`| If you set this define, all emails will be redirected to this address.| | `SS_SEND_ALL_EMAILS_TO`| If you set this define, all emails will be redirected to this address.|
| `SS_SEND_ALL_EMAILS_FROM`| If you set this define, all emails will be send from this address.| | `SS_SEND_ALL_EMAILS_FROM`| If you set this define, all emails will be send from this address.|
| `SS_ERROR_LOG` | | | `SS_ERROR_LOG` | |

8
security/BasicAuth.php
View File

@ -50,6 +50,14 @@ class BasicAuth {
$isRunningTests = (class_exists('SapphireTest', false) && SapphireTest::is_running_test()); $isRunningTests = (class_exists('SapphireTest', false) && SapphireTest::is_running_test());
if(!Security::database_is_ready() || (Director::is_cli() && !$isRunningTests)) return true; if(!Security::database_is_ready() || (Director::is_cli() && !$isRunningTests)) return true;
$matches = array();
if (isset($_SERVER['HTTP_AUTHORIZATION']) &&
preg_match('/Basic\s+(.*)$/i', $_SERVER['HTTP_AUTHORIZATION'], $matches)) {
list($name, $password) = explode(':', base64_decode($matches[1]));
$_SERVER['PHP_AUTH_USER'] = strip_tags($name);
$_SERVER['PHP_AUTH_PW'] = strip_tags($password);
}
$member = null; $member = null;
if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
$member = MemberAuthenticator::authenticate(array( $member = MemberAuthenticator::authenticate(array(