Php-cgi & SabreDAV authentication problem

software development

#1

Hello,

For development I tried to setup a webdav server on my DH account using SabreDAV. Without authentication, the servers runs fine, but when I add (Digest) authentication, there seems to be a problem with the php-cgi implementation of DH:

It looks like the authentication header of the client is not properly passed to the server script. I always geht the following error message from the server:

[code]
marcus@darkstar:~$ curl --digest --user marcus:testpw http://dav.erber.info/dav

<?xml version="1.0" encoding="utf-8"?>

<d:error xmlns:d=“DAV:” xmlns:s=“http://sabredav.org/ns”>
<s:exception>Sabre_DAV_Exception_NotAuthenticated</s:exception>
<s:message>No digest authentication headers were found</s:message>
<s:sabredav-version>1.5.6</s:sabredav-version>
</d:error>
marcus@darkstar:~$ [/code]

This seems to be a known problem with Apache using cgi or fast-cgi for php, but even the addtional flags in the .htaccess file did not solve the problem:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^/*(.*)$ /server.php/$1 [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

The same setup works on another hosting provider who uses php as an Apache module without problems.

BTW: FAST-CGI and CGI behave differentely:
when the domain is set to use CGI (regardless if php 5.2 or 5.3) the error occures as above.
when the domain is set to use fast-cgi, I get the following output:

marcus@darkstar:~$ curl --digest --user marcus:testpw http://dav.erber.info/dav No input file specified. marcus@darkstar:~$

Any help highly appreciated!

Thanks,
bye
Marcus.


#2

I am having a similar problem getting access to the Authorization headers through PHP CGI. Per some advice in the PHP documentation comments I have put the following directive in the .htaccess file in the directory containing my digest-auth test script:

But the PHP_AUTH_DIGEST_RAW property is not accessible via either $_ENV or getenv(). I have also tried this without the ^$ flags around the header name, but with no success.


#3

The PHP_AUTH_DIGEST_RAW environment variable is being stripped out by suexec before it reaches PHP. Try (mis)using the USER_NAME environment variable instead; that one is passed through.