Bug #53010
UsernamePasswordHttpBasic disabled since .htaccess strips "Basic"
Status: | Resolved | Start date: | 2013-10-21 | |
---|---|---|---|---|
Priority: | Must have | Due date: | ||
Assigned To: | - | % Done: | 100% |
|
Category: | Security | |||
Target version: | - | |||
PHP Version: | Complexity: | |||
Has patch: | No | Affected Flow version: | Git master |
Description
Hey there.
The Token\UsernamePasswordHttpBasic requires the "Authentication" header to begin with "Basic". That's fine since this very token is only meant to deal with basic auth requests.
Unfortunately the .htaccess file which gets installed contains the following line:
SetEnvIfNoCase Authorization "Basic ([a-zA-Z0-9\+/=]+)" REMOTE_AUTHORIZATION=$1
This means: Whenever the "Authorization Basic" header is set, it gets passed to the REMOTE_AUTHORIZATION environment variable by stripping the "Basic" string.
Associated revisions
[BUGFIX] REMOTE_AUTHORIZATION strips "Basic" string
Currently the .htaccess file passes the "Authorization" header
to the REMOTE_AUTHORIZATION environment variable by stripping
the "Basic" string. This means as soon as the authentication
token tries to authenticate, the only remaining thing is the
base64 encoded value of username/password without the "Basic"
indicator. This leads to no basic auth possible when running
CGI.
Change-Id: Ia316a732c1eecade595f67928fc1ce6935731af0
Resolves: #53010
Releases: master, 2.2, 2.1
[BUGFIX] REMOTE_AUTHORIZATION strips "Basic" string
Currently the .htaccess file passes the "Authorization" header
to the REMOTE_AUTHORIZATION environment variable by stripping
the "Basic" string. This means as soon as the authentication
token tries to authenticate, the only remaining thing is the
base64 encoded value of username/password without the "Basic"
indicator. This leads to no basic auth possible when running
CGI.
Change-Id: Ia316a732c1eecade595f67928fc1ce6935731af0
Resolves: #53010
Releases: master, 2.2, 2.1
(cherry picked from commit 8bd0eca54fefa1eb014d000f368634d2a91f477d)
[BUGFIX] REMOTE_AUTHORIZATION strips "Basic" string
Currently the .htaccess file passes the "Authorization" header
to the REMOTE_AUTHORIZATION environment variable by stripping
the "Basic" string. This means as soon as the authentication
token tries to authenticate, the only remaining thing is the
base64 encoded value of username/password without the "Basic"
indicator. This leads to no basic auth possible when running
CGI.
Change-Id: Ia316a732c1eecade595f67928fc1ce6935731af0
Resolves: #53010
Releases: master, 2.2, 2.1
(cherry picked from commit 8bd0eca54fefa1eb014d000f368634d2a91f477d)
History
#1 Updated by Gerrit Code Review almost 2 years ago
- Status changed from New to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/24936
#2 Updated by Karsten Dambekalns over 1 year ago
- Category set to Security
#3 Updated by Gerrit Code Review over 1 year ago
Patch set 2 for branch master of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/24936
#4 Updated by Gerrit Code Review over 1 year ago
Patch set 3 for branch master of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/24936
#5 Updated by Gerrit Code Review 11 months ago
Patch set 4 for branch master of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at http://review.typo3.org/24936
#6 Updated by Gerrit Code Review 11 months ago
Patch set 1 for branch 2.2 of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at http://review.typo3.org/32389
#7 Updated by Gerrit Code Review 11 months ago
Patch set 1 for branch 2.1 of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at http://review.typo3.org/32390
#8 Updated by Stephan Schuler 11 months ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 8bd0eca54fefa1eb014d000f368634d2a91f477d.