Why to have owner's uid of the file when WWW-Authenticate header?

21 years ago by Kamesh Jayachandran — view source — reply

unread

Hi All,

I want to know the reason behind the having the uid of the owner of the
file shown as a part of realm string the WWW-Authenticate when safe_mode
is enabled.

With regards
Kamesh Jayachandran

21 years ago by Uwe Schindler — view source — reply

unread

Something additional to this:
I am fixing bug #29805 (HTTP Authentication Issues in NSAPI).

Copied from some other SAPIs I have done this by adding of the following line:

     if (!PG(safe_mode))

php_handle_auth_data(pblock_findval("authorization", rq->headers) TSRMLS_CC);

The problem is: Apache disables this in safe mode only if some other
authentication (like .htaccess) is active. In NSAPI you cannot check this,
so I disabled the whole authentication in NSAPI. Other SAPIs do not check
for safe mode.

What is the background of disabling of passing the headers "Authentication"
and the user/password pairs in it to the user? Is it a problem to simply
give the user access to this information (even with safe mode) - If there
is some authentication by .htaccess or something other it is normally from
the same user that wrote the script.

Uwe

At 16:34 22.09.2004, you wrote:

Hi All,

I want to know the reason behind the having the uid of the owner of the
file shown as a part of realm string the WWW-Authenticate when safe_mode
is enabled.

With regards
Kamesh Jayachandran

--

Uwe Schindler
thetaphi@php.net - http://www.php.net
NSAPI SAPI developer
Erlangen, Germany

21 years ago by Rasmus Lerdorf — view source — reply

unread

What is the background of disabling of passing the headers "Authentication"
and the user/password pairs in it to the user? Is it a problem to simply
give the user access to this information (even with safe mode) - If there
is some authentication by .htaccess or something other it is normally from
the same user that wrote the script.

Normally, sure. But say on a shared host http://www.isp.com/~bob sets up
a password-protected page. Then Tom comes along and wants to grab the
user ids and passwords from Bob's site. Safe-mode is enabled so he can't
simply write a script to steal the passwords, and even if he could, they
are encrypted. So the way to hack it is to just password protect one of
his own pages and give it the same auth domain as Bob's pages and anybody
who visits http://www.isp.com/~tom anytime after visiting /~bob will
invisibly send their auth data to Tom.

-Rasmus