[FASTCGI] [PATCH] Updated patch for -pass-header correct handling

Christian Seiler chris_se at gmx.net
Sun Sep 21 16:00:49 EDT 2008

Hash: SHA1

Hi Rob,

> The existing -pass-header implementation works as intended.  To pass the
> HTTP_AUTHORIZATION header, you have to specify "-pass-header

I don't mean to offend, but have you actually tried this?

Let me make a very concrete example: I take a standard mod_fastcgi 2.4.6
and a standard PHP install with default configuration and the following
PHP script:


Header ('Status: 401 Authorization required');
Header ('WWW-Authenticate: Basic realm="Test"');



Then I load the script, enter some dummy credentials when the browser
shows the auth dialog for the first time and hit cancel for the second
time, I get the following results:

1) FastCgiConfig -pass-header HTTP_AUTHORIZATION

No additional CGI environment variable is passed to PHP (note that this
does not even consider whether PHP interprets them correctly or not,
there simply is no additional variable there)

2) FastCgiConfig -pass-header AUTHORIZATION

An additional variable "AUTHORIZATION" with the contents of the
Authorization header is added to the CGI environment passed to PHP.

Also, this is consistent with the code of mod_fastcgi, see
<http://www.fastcgi.com/mod_fastcgi/fcgi_protocol.c>, lines 180 an

        for ( ; i; --i, ++elt) {
            const char *val = ap_table_get(fr->r->headers_in, *elt);
            if (val) {
                ap_table_setn(fr->r->subprocess_env, *elt, val);

If I supply -pass-header FOO, this code would look up FOO in
fr->r->headers_in (which contains the raw HTTP header names unencoded,
i.e. ap_table_get(fr->r->headers_in, "Host") will work but
ap_table_get(fr->r->headers_in, "HTTP_HOST") won't!) and then it will
set the environment variable FOO in the subprocess_env so it can be
passed to the FastCGI process. It will not change the header name at all.

So, if you do -pass-header HTTP_AUTHORIZATION, mod_fastcgi will try to
lookup the HTTP header HTTP_AUTHORIZATION which is not sent by the
browser (a browser would actually have to send "HTTP_AUTHORIZATION: foo"
in order for such a header to appear in headers_in) and since it's not
set, it does nothing.

If you do -pass-header AUTHORIZATION, mod_fastcgi will try to lookup the
HTTP header AUTHORIZATION, which is sent by the browser, but then it
will set the CGI env variable with the name AUTHORIZATION.

If you compare this to the normal Apache code that copies the HTTP
headers to the standard CGI environment (and leaves out AUTHORIZATION
for security purposes which don't apply to FastCGI), you will see that
the standard code uppercases all header names, replaces all non-alnum
chars with underscores and prepends HTTP_ in front of the header name
before it sets the environment variable name - which is exactly what the
CGI spec requires.

My patch does exactly this for mod_fastcgi with -pass-header. I hope I
could make my point clearer now.

> Consistent with mod_cgi, I have incorporated support for duplicate
> Status/Location/ContentType headers being returned by the application.


Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the FastCGI-developers mailing list