merged branch shouze/fix/auth-digest (PR #8952)

fabpot · fabpot · commit 1086faf0fb55 · 2013-09-07T07:57:27.000+02:00
This PR was submitted for the master branch but it was merged into the 2.2 branch instead (closes #8952). Discussion ---------- [HttpFoundation] Fixing broken http auth digest in some circumstances. | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | can be refered in issue #1813 | License | MIT | Doc PR | n/a With some apache + php-fpm setup we need to set ```PHP_AUTH_DIGEST``` value if not already setted in GLOBAL vars. Added some unit tests too. Commits ------- 9fc994b [HttpFoundation] Fixing broken http auth digest in some circumstances (php-fpm + apache).
diff --git a/src/Symfony/Component/HttpFoundation/ServerBag.php b/src/Symfony/Component/HttpFoundation/ServerBag.php
@@ -63,18 +63,26 @@ public function getHeaders()
                 $authorizationHeader = $this->parameters['REDIRECT_HTTP_AUTHORIZATION'];
             }
 
-            // Decode AUTHORIZATION header into PHP_AUTH_USER and PHP_AUTH_PW when authorization header is basic
-            if ((null !== $authorizationHeader) && (0 === stripos($authorizationHeader, 'basic'))) {
-                $exploded = explode(':', base64_decode(substr($authorizationHeader, 6)));
-                if (count($exploded) == 2) {
-                    list($headers['PHP_AUTH_USER'], $headers['PHP_AUTH_PW']) = $exploded;
+            if ((null !== $authorizationHeader)) {
+                if ((0 === stripos($authorizationHeader, 'basic'))) {
+                    // Decode AUTHORIZATION header into PHP_AUTH_USER and PHP_AUTH_PW when authorization header is basic
+                    $exploded = explode(':', base64_decode(substr($authorizationHeader, 6)));
+                    if (count($exploded) == 2) {
+                        list($headers['PHP_AUTH_USER'], $headers['PHP_AUTH_PW']) = $exploded;
+                    }
+                } elseif (empty($this->parameters['PHP_AUTH_DIGEST']) && (0 === stripos($authorizationHeader, 'digest'))) {
+                    // In some circumstances PHP_AUTH_DIGEST needs to be set
+                    $headers['PHP_AUTH_DIGEST'] = $authorizationHeader;
+                    $this->parameters['PHP_AUTH_DIGEST'] = $authorizationHeader;
                 }
             }
         }
 
         // PHP_AUTH_USER/PHP_AUTH_PW
         if (isset($headers['PHP_AUTH_USER'])) {
             $headers['AUTHORIZATION'] = 'Basic '.base64_encode($headers['PHP_AUTH_USER'].':'.$headers['PHP_AUTH_PW']);
+        } elseif (isset($headers['PHP_AUTH_DIGEST'])) {
+            $headers['AUTHORIZATION'] = $headers['PHP_AUTH_DIGEST'];
         }
 
         return $headers;
diff --git a/src/Symfony/Component/HttpFoundation/Tests/ServerBagTest.php b/src/Symfony/Component/HttpFoundation/Tests/ServerBagTest.php
@@ -89,6 +89,28 @@ public function testHttpBasicAuthWithPhpCgiEmptyPassword()
         ), $bag->getHeaders());
     }
 
+    public function testHttpDigestAuthWithPhpCgi()
+    {
+        $digest = 'Digest username="foo", realm="acme", nonce="'.md5('secret').'", uri="/protected, qop="auth"';
+        $bag = new ServerBag(array('HTTP_AUTHORIZATION' => $digest));
+
+        $this->assertEquals(array(
+            'AUTHORIZATION' => $digest,
+            'PHP_AUTH_DIGEST' => $digest,
+        ), $bag->getHeaders());
+    }
+
+    public function testHttpDigestAuthWithPhpCgiRedirect()
+    {
+        $digest = 'Digest username="foo", realm="acme", nonce="'.md5('secret').'", uri="/protected, qop="auth"';
+        $bag = new ServerBag(array('REDIRECT_HTTP_AUTHORIZATION' => $digest));
+
+        $this->assertEquals(array(
+            'AUTHORIZATION' => $digest,
+            'PHP_AUTH_DIGEST' => $digest,
+        ), $bag->getHeaders());
+    }
+
     public function testOAuthBearerAuth()
     {
         $headerContent = 'Bearer L-yLEOr9zhmUYRkzN1jwwxwQ-PBNiKDc8dgfB4hTfvo';

Original file line number	Diff line number	Diff line change
`@@ -63,18 +63,26 @@ public function getHeaders()`
`63`	`63`	`$authorizationHeader = $this->parameters['REDIRECT_HTTP_AUTHORIZATION'];`
`64`	`64`	`}`
`65`	`65`
`66`		`- // Decode AUTHORIZATION header into PHP_AUTH_USER and PHP_AUTH_PW when authorization header is basic`
`67`		`- if ((null !== $authorizationHeader) && (0 === stripos($authorizationHeader, 'basic'))) {`
`68`		`- $exploded = explode(':', base64_decode(substr($authorizationHeader, 6)));`
`69`		`- if (count($exploded) == 2) {`
`70`		`- list($headers['PHP_AUTH_USER'], $headers['PHP_AUTH_PW']) = $exploded;`
	`66`	`+ if ((null !== $authorizationHeader)) {`
	`67`	`+ if ((0 === stripos($authorizationHeader, 'basic'))) {`
	`68`	`+ // Decode AUTHORIZATION header into PHP_AUTH_USER and PHP_AUTH_PW when authorization header is basic`
	`69`	`+ $exploded = explode(':', base64_decode(substr($authorizationHeader, 6)));`
	`70`	`+ if (count($exploded) == 2) {`
	`71`	`+ list($headers['PHP_AUTH_USER'], $headers['PHP_AUTH_PW']) = $exploded;`
	`72`	`+ }`
	`73`	`+ } elseif (empty($this->parameters['PHP_AUTH_DIGEST']) && (0 === stripos($authorizationHeader, 'digest'))) {`
	`74`	`+ // In some circumstances PHP_AUTH_DIGEST needs to be set`
	`75`	`+ $headers['PHP_AUTH_DIGEST'] = $authorizationHeader;`
	`76`	`+ $this->parameters['PHP_AUTH_DIGEST'] = $authorizationHeader;`
`71`	`77`	`}`
`72`	`78`	`}`
`73`	`79`	`}`
`74`	`80`
`75`	`81`	`// PHP_AUTH_USER/PHP_AUTH_PW`
`76`	`82`	`if (isset($headers['PHP_AUTH_USER'])) {`
`77`	`83`	`$headers['AUTHORIZATION'] = 'Basic '.base64_encode($headers['PHP_AUTH_USER'].':'.$headers['PHP_AUTH_PW']);`
	`84`	`+ } elseif (isset($headers['PHP_AUTH_DIGEST'])) {`
	`85`	`+ $headers['AUTHORIZATION'] = $headers['PHP_AUTH_DIGEST'];`
`78`	`86`	`}`
`79`	`87`
`80`	`88`	`return $headers;`