[FASTCGI] [PATCH] Updated patch for -pass-header correct handling

Sun Sep 21 20:18:01 EDT 2008

Yep.  Right you are.  Patch committed.  Thanks for the clarification.

Rob

> -----Original Message-----
> From: Christian Seiler [mailto:chris_se at gmx.net]
> Sent: Sunday, September 21, 2008 4:01 PM
> To: Rob Saccoccio
> Cc: fastcgi-developers at mailman.fastcgi.com
> Subject: Re: [FASTCGI] [PATCH] Updated patch for -pass-header correct
> handling
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Rob,
> 
> > The existing -pass-header implementation works as intended.  To pass the
> > HTTP_AUTHORIZATION header, you have to specify "-pass-header
> > HTTP_AUTHORIZATION (not "-pass-header AUTHORIZATION").
> 
> I don't mean to offend, but have you actually tried this?
> 
> Let me make a very concrete example: I take a standard mod_fastcgi 2.4.6
> and a standard PHP install with default configuration and the following
> PHP script:
> 
> <?php
> 
> 
> 
> Header ('Status: 401 Authorization required');
> Header ('WWW-Authenticate: Basic realm="Test"');
> 
> phpinfo(INFO_VARIABLES);
> 
> ?>
> 
> Then I load the script, enter some dummy credentials when the browser
> shows the auth dialog for the first time and hit cancel for the second
> time, I get the following results:
> 
> 1) FastCgiConfig -pass-header HTTP_AUTHORIZATION
> 
> No additional CGI environment variable is passed to PHP (note that this
> does not even consider whether PHP interprets them correctly or not,
> there simply is no additional variable there)
> 
> 2) FastCgiConfig -pass-header AUTHORIZATION
> 
> An additional variable "AUTHORIZATION" with the contents of the
> Authorization header is added to the CGI environment passed to PHP.
> 
> Also, this is consistent with the code of mod_fastcgi, see
> <http://www.fastcgi.com/mod_fastcgi/fcgi_protocol.c>, lines 180 an
> following:
> 
>         for ( ; i; --i, ++elt) {
>             const char *val = ap_table_get(fr->r->headers_in, *elt);
>             if (val) {
>                 ap_table_setn(fr->r->subprocess_env, *elt, val);
>             }
>         }
> 
> If I supply -pass-header FOO, this code would look up FOO in
> fr->r->headers_in (which contains the raw HTTP header names unencoded,
> i.e. ap_table_get(fr->r->headers_in, "Host") will work but
> ap_table_get(fr->r->headers_in, "HTTP_HOST") won't!) and then it will
> set the environment variable FOO in the subprocess_env so it can be
> passed to the FastCGI process. It will not change the header name at all.
> 
> So, if you do -pass-header HTTP_AUTHORIZATION, mod_fastcgi will try to
> lookup the HTTP header HTTP_AUTHORIZATION which is not sent by the
> browser (a browser would actually have to send "HTTP_AUTHORIZATION: foo"
> in order for such a header to appear in headers_in) and since it's not
> set, it does nothing.
> 
> If you do -pass-header AUTHORIZATION, mod_fastcgi will try to lookup the
> HTTP header AUTHORIZATION, which is sent by the browser, but then it
> will set the CGI env variable with the name AUTHORIZATION.
> 
> If you compare this to the normal Apache code that copies the HTTP
> headers to the standard CGI environment (and leaves out AUTHORIZATION
> for security purposes which don't apply to FastCGI), you will see that
> the standard code uppercases all header names, replaces all non-alnum
> chars with underscores and prepends HTTP_ in front of the header name
> before it sets the environment variable name - which is exactly what the
> CGI spec requires.
> 
> My patch does exactly this for mod_fastcgi with -pass-header. I hope I
> could make my point clearer now.
> 
> > Consistent with mod_cgi, I have incorporated support for duplicate
> > Status/Location/ContentType headers being returned by the application.
> 
> Thanks.
> 
> Regards,
> Christian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkjWp/EACgkQ5l5dzJmLNGUeCgCfRCLF85+do3HZOJg53wL1v1KR
> fRkAn3HBZBBQa4RNZVyKVFP8zdZAz3q2
> =vU0F
> -----END PGP SIGNATURE-----