Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check REDIRECT_HTTP_AUTHORIZATION header in app_dev.php #45

Closed
discordier opened this issue Aug 23, 2017 · 7 comments
Closed

Check REDIRECT_HTTP_AUTHORIZATION header in app_dev.php #45

discordier opened this issue Aug 23, 2017 · 7 comments
Assignees
@discordier @aschempp
Labels
feature
Milestone
4.5

Comments

@discordier
Copy link

discordier commented Aug 23, 2017
edited by leofeyer

We should discuss if we want to add:

     if (false === $accessKey) {
         header('HTTP/1.0 403 Forbidden');
         die(sprintf('You are not allowed to access this file. Check %s for more information.', basename(__FILE__)));
     }
+
+    // Check for alternate authorization header set by FastCGI et al.
+    if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
+        list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));
+    }
 
     if (!isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])

This will provide the authorization in environments where the requests are proxied and therefore no HTTP_AUTHORIZATION environment variable is available.
@aschempp
Copy link
Member

Shouldn't that be done in the .htaccess like https://github.com/contao/manager-bundle/blob/master/src/Resources/web/.htaccess#L21 ?

@discordier
Copy link
Author

I don't know if it is an apache only thing or if it also applies to other web servers.
TBH, it was the first time ever I encountered the header at all.

However, I started to wonder if we should change the app_dev to work without any special treatment via .htaccess and the like. I know it will get slower but might work in "all standard setups".

I have not defined yet what the supported setups might be, hence this ticket to discuss if we should do anything at all.

@Toflar
Copy link
Member

Toflar commented Aug 28, 2017

Any idea if this is some standard? Couldn't even find any reference to that header in the Symfony Request class.

@discordier
Copy link
Author

I only found some mentions of it here and here.

The problem is, that FastCGI seems to prefix HTTP_AUTHORIZATION with REDIRECT_. Therefore the original header is not to be found anymore.
I assume (have not tested though) if we change the .htaccess to set the REDIRECT_HTTP_AUTHORIZATION instead of HTTP_AUTHORIZATION that we will end up with REDIRECT_REDIRECT_HTTP_AUTHORIZATION then.

@discordier
Copy link
Author

As discussed on mumble on 2017-10-05, we will move $request = Request::createFromGlobals(); up and use the server bag
See: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/ServerBag.php#L63

aschempp added a commit that referenced this issue Oct 12, 2017
@aschempp
Use the request object for authentication checks (#45)
a3148f8
@aschempp
Copy link
Member

Can you please try a3148f8 ?

@discordier
Copy link
Author

Works like a charm.

Tested hosting is 1&1 btw.

@aschempp aschempp added this to the 4.5.0 milestone Nov 8, 2017
@aschempp aschempp closed this as completed Nov 8, 2017
@aschempp aschempp self-assigned this Nov 8, 2017
@discordier discordier mentioned this issue Jul 23, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@discordier discordier

@aschempp aschempp

Labels
feature
Projects
None yet
Milestone
4.5
Development

No branches or pull requests
4 participants
@Toflar @discordier @aschempp @leofeyer