Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95873
Return-Path: <marijic.silvio@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82786 invoked from network); 9 Sep 2016 19:40:38 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Sep 2016 19:40:38 -0000
Authentication-Results: pb1.pair.com smtp.mail=marijic.silvio@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=marijic.silvio@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.46 as permitted sender)
X-PHP-List-Original-Sender: marijic.silvio@gmail.com
X-Host-Fingerprint: 209.85.214.46 mail-it0-f46.google.com  
Received: from [209.85.214.46] ([209.85.214.46:36818] helo=mail-it0-f46.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E8/16-46544-23013D75 for <internals@lists.php.net>; Fri, 09 Sep 2016 15:40:35 -0400
Received: by mail-it0-f46.google.com with SMTP id i184so28979673itf.1
        for <internals@lists.php.net>; Fri, 09 Sep 2016 12:40:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=0ef3VYdTTRMRx51Af3efTpXxvNoX9IjNltNOedtiflo=;
        b=acc9Tolp/ngOUtHBMEp1vU4Y35pHQ2IcW80oL+Z5S5ve3/97iTLP+0BlLNPojdCer7
         RYQe2zdsNz/SEegko+0K3JfqrS9mOSEzX/LF72CoKYZRmj4WbXIQ5+17R9tL3aNOWpps
         VGv3uwhy1Vato6zfjUfrl1C/DEkDbPpHew6KwYrRGAUK3oV9Y6T+10lZEwQVKWcx6vx8
         mR/9XeDf6K+69Qg/kzkdFEYSgBfHm27Hh/gBMl7yCHwJ9H7bkimirqZGzMK2H1sBqrsc
         MKFgyFAqg5RCKS1z0UHYLRm1A+lufQmUwdGgKHX0h25yeuU8deDvsLFMonTpKPEfx3cv
         ZQVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=0ef3VYdTTRMRx51Af3efTpXxvNoX9IjNltNOedtiflo=;
        b=aEX8oxaVBN6SL5khsQX3fN8mj/gP1DGYwPQquLgN0ZYlLM8f8OqpQ0+1IZ3irxTBHP
         Amrr2t2Uk+BzMg41zq6ZZIFNFGAc4JK1h4mHJScEZaa42u5anAvcoNGvOgeMF/NWCHKs
         NzxwhBhgc32iwL3u6ZDNe6aZQoMb5avqhyVJmSHF09XSKzAdV9rduRCfoRKMzthSHaVr
         Dvtmz/vltinPHWUEI2qkLuJVlTMSyQYcbJqCoSOxpaAaq1Gr9qMnuNyjiCIR4ed9Yahv
         dpK8On21MnfZmP30WvzHpFwIvFgoTH1rF6q4WcmI3Qz2jaXZr5fhMoQXeeb4Jt94+aFW
         OF5A==
X-Gm-Message-State: AE9vXwMVpgWDJoGoVF8QMg9K5fVUUwb2uH+nEIChw23oIakOHcCcsIY33hrWLaZrda0+PBVd2hhm3Mn61Yej5Q==
X-Received: by 10.157.50.225 with SMTP id u88mr7276527otb.212.1473450031132;
 Fri, 09 Sep 2016 12:40:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.207.134 with HTTP; Fri, 9 Sep 2016 12:40:30 -0700 (PDT)
In-Reply-To: <92CCBC18-DD59-41C6-9FBC-F5D513185603@koalephant.com>
References: <CAA69SC6szFdRLAhmPuWf2VJb2RyWH0L=-DoVFqrOo74qomwSXA@mail.gmail.com>
 <CANUQDChoKhUZsJE6Ja8PNEJd6mrBzMCD2T3JJ+LfoGbF8LvnGQ@mail.gmail.com>
 <CAA69SC4TxNkqdJG7882JovaAFsso-782Lfih58MhO=QOmCgy6Q@mail.gmail.com>
 <A957A0F4-9AC8-4DC0-809F-D7759C5A586A@koalephant.com> <CAA69SC61VO0C3AFeHMh-Q6qyXtMFho-GaA1EmSGg-Ho7WSM5og@mail.gmail.com>
 <92CCBC18-DD59-41C6-9FBC-F5D513185603@koalephant.com>
Date: Fri, 9 Sep 2016 21:40:30 +0200
Message-ID: <CAA69SC6hdhfOt+Hn9JhR7b1wFx4upgVvsWESrNsW0ZOWuBVcVw@mail.gmail.com>
To: Stephen Reay <stephen@koalephant.com>
Cc: Stephen Reay <php-lists@koalephant.com>, Niklas Keller <me@kelunik.com>, 
	PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11493b1eb33b6a053c1851d9
Subject: Re: [PHP-DEV] [PHPDEV] Bearer Auth
From: marijic.silvio@gmail.com (=?UTF-8?Q?Silvio_Mariji=C4=87?=)

--001a11493b1eb33b6a053c1851d9
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

It does, This is sort of workaround. Authorization header is considered
"custom" header and as such Apache strips it by default in order to enhance
security. Unlike Apache, CGI and FP SAPI's allow this header.

2016-09-09 20:49 GMT+02:00 Stephen Reay <stephen@koalephant.com>:

> Doesn't the bug specifically say that the entry *isnt* in $_SERVER, and
> must be fetched via apache_request_headers()?
>
>
>
> Sent from my iPhone
>
> > On 10 Sep 2016, at 00:15, Silvio Mariji=C4=87 <marijic.silvio@gmail.com=
>
> wrote:
> >
> > @Stephen
> >
> > Yes, this change does not remove any previously variables in $_SERVER,
> only
> > adds PHP_AUTH_BEARER when present in request.
> >
> > 2016-09-09 18:07 GMT+02:00 Stephen Reay <php-lists@koalephant.com>:
> >
> >> Does this change also leave the raw header in
> >> $_SERVER['HTTP_AUTHORIZATION=E2=80=99] ?
> >>
> >>>> On 9 Sep 2016, at 21:30, Silvio Mariji=C4=87 <marijic.silvio@gmail.c=
om>
> >>> wrote:
> >>>
> >>> @Niklas
> >>> We are already supporting Basic and Digest and Bearer and MAC are use=
d
> >>> widely as a form of token authorization.
> >>>
> >>> 2016-09-09 14:37 GMT+02:00 Niklas Keller <me@kelunik.com>:
> >>>
> >>>> 2016-09-09 14:17 GMT+02:00 Silvio Mariji=C4=87 <marijic.silvio@gmail=
.com>:
> >>>>
> >>>>> Came across this issue https://bugs.php.net/bug.php?id=3D72915 and =
got
> >> an
> >>>>> idea. I've added PHP_AUTH_BEARER to $_SERVER when Bearer auth token
> is
> >>>>> used
> >>>>> as Authorization method.
> >>>>>
> >>>>> Does this kind of change requires RFC ? Would this kind of change b=
e
> >>>>> usefull enough to go into the codebase ?
> >>>>>
> >>>>> Here are the changes I made:
> >>>>> https://github.com/php/php-src/compare/master...smarijic:
> >> php_auth_bearer
> >>>>>
> >>>>> Cheers,
> >>>>> Silvio.
> >>>>> --
> >>>>> Silvio Mariji=C4=87
> >>>>> Software Engineer
> >>>>> 2e Systems
> >>>>
> >>>> I don't see why we should special case Bearer tokens.
> >>>>
> >>>> Regards, Niklas
> >>>
> >>>
> >>>
> >>> --
> >>> Silvio Mariji=C4=87
> >>> Software Engineer
> >>> 2e Systems
> >
> >
> > --
> > Silvio Mariji=C4=87
> > Software Engineer
> > 2e Systems
>



--=20
Silvio Mariji=C4=87
Software Engineer
2e Systems

--001a11493b1eb33b6a053c1851d9--