Check REDIRECT_HTTP_AUTHORIZATION header in app_dev.php

Question

Check REDIRECT_HTTP_AUTHORIZATION header in app_dev.php

discordier opened this issue 7 years ago · 7 comments

We should discuss if we want to add:

     if (false === $accessKey) {
         header('HTTP/1.0 403 Forbidden');
         die(sprintf('You are not allowed to access this file. Check %s for more information.', basename(__FILE__)));
     }
+
+    // Check for alternate authorization header set by FastCGI et al.
+    if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
+        list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));
+    }
 
     if (!isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])

This will provide the authorization in environments where the requests are proxied and therefore no HTTP_AUTHORIZATION environment variable is available.

Answer 1 · 2017-08-23T16:59:11.000Z

Shouldn't that be done in the .htaccess like https://github.com/contao/manager-bundle/blob/master/src/Resources/web/.htaccess#L21 ?

Answer 2 · 2017-08-25T14:11:57.000Z

I don't know if it is an apache only thing or if it also applies to other web servers.
TBH, it was the first time ever I encountered the header at all.

However, I started to wonder if we should change the app_dev to work without any special treatment via .htaccess and the like. I know it will get slower but might work in "all standard setups".

I have not defined yet what the supported setups might be, hence this ticket to discuss if we should do anything at all.

Answer 3 · 2017-08-28T07:12:57.000Z

Any idea if this is some standard? Couldn't even find any reference to that header in the Symfony Request class.

Answer 4 · 2017-08-28T10:47:31.000Z

I only found some mentions of it here and here.

The problem is, that FastCGI seems to prefix HTTP_AUTHORIZATION with REDIRECT_. Therefore the original header is not to be found anymore.
I assume (have not tested though) if we change the .htaccess to set the REDIRECT_HTTP_AUTHORIZATION instead of HTTP_AUTHORIZATION that we will end up with REDIRECT_REDIRECT_HTTP_AUTHORIZATION then.

Answer 5 · 2017-10-05T15:10:32.000Z

As discussed on mumble on 2017-10-05, we will move $request = Request::createFromGlobals(); up and use the server bag
See: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/ServerBag.php#L63

Answer 6 · 2017-10-12T15:16:36.000Z

Can you please try a3148f8 ?

Answer 7 · 2017-11-06T17:36:05.000Z

Works like a charm.

Tested hosting is 1&1 btw.