Check REDIRECT_HTTP_AUTHORIZATION header in app_dev.php
discordier opened this issue · 7 comments
We should discuss if we want to add:
if (false === $accessKey) {
header('HTTP/1.0 403 Forbidden');
die(sprintf('You are not allowed to access this file. Check %s for more information.', basename(__FILE__)));
}
+
+ // Check for alternate authorization header set by FastCGI et al.
+ if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
+ list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));
+ }
if (!isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])
This will provide the authorization in environments where the requests are proxied and therefore no HTTP_AUTHORIZATION
environment variable is available.
Shouldn't that be done in the .htaccess
like https://github.com/contao/manager-bundle/blob/master/src/Resources/web/.htaccess#L21 ?
I don't know if it is an apache only thing or if it also applies to other web servers.
TBH, it was the first time ever I encountered the header at all.
However, I started to wonder if we should change the app_dev to work without any special treatment via .htaccess and the like. I know it will get slower but might work in "all standard setups".
I have not defined yet what the supported setups might be, hence this ticket to discuss if we should do anything at all.
Any idea if this is some standard? Couldn't even find any reference to that header in the Symfony Request
class.
I only found some mentions of it here and here.
The problem is, that FastCGI seems to prefix HTTP_AUTHORIZATION
with REDIRECT_
. Therefore the original header is not to be found anymore.
I assume (have not tested though) if we change the .htaccess to set the REDIRECT_HTTP_AUTHORIZATION
instead of HTTP_AUTHORIZATION
that we will end up with REDIRECT_REDIRECT_HTTP_AUTHORIZATION
then.
As discussed on mumble on 2017-10-05, we will move $request = Request::createFromGlobals();
up and use the server bag
See: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/ServerBag.php#L63
Works like a charm.
Tested hosting is 1&1 btw.