apache_request_headers() missing Authorization header - Githubissues

facebook / hhvm

A virtual machine for executing programs written in Hack.

https://hhvm.com

Other

18.16k stars 2.99k forks source link

apache_request_headers() missing Authorization header #4282

Closed jazzdan closed 9 years ago

jazzdan commented 9 years ago

To reproduce: put this script in the document root of apache:

<?php

print_r($_SERVER);
echo "\n===================================================================================================================\n";
print_r(apache_request_headers());

Query it like this: curl -H "Authorization: blah" http://localhost/dbping.php

It outputs this:

Array
(
    [REQUEST_START_TIME] => 1416343040
    [REQUEST_TIME] => 1416343040
    [REQUEST_TIME_FLOAT] => 1416343040.4445
    [HTTP_ACCEPT] => */*
    [HTTP_HOST] => localhost
    [HTTP_USER_AGENT] => curl/7.30.0
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_ADDR] => 10.100.8.248
    [SERVER_NAME] => test
    [SERVER_PORT] => 7087
    [SERVER_SOFTWARE] => Apache
    [SERVER_PROTOCOL] => HTTP/1.1
    [SERVER_SIGNATURE] =>
    [QUERY_STRING] =>
    [REQUEST_METHOD] => GET
    [REDIRECT_api_request] => 1
    [REDIRECT_DISABLE_ORM_APC] => 1
    [DOCUMENT_ROOT] => /var/www
    [CSRF_LOG_FILE] => /var/log/httpd/csrf_failures.log
    [PATH] => /sbin:/usr/sbin:/bin:/usr/bin
    [SCRIPT_NAME] => /dbping.php
    [REDIRECT_CSRF_LOG_FILE] => /var/log/httpd/csrf_failures.log
    [REDIRECT_SCRIPT_URL] => /dbping.php
    [SCRIPT_URL] => /dbping.php
    [PATH_INFO] => /dbping.php
    [REDIRECT_LOCALE] => en-US
    [PATH_TRANSLATED] => /var/www/dbping.php
    [REDIRECT_SCRIPT_URI] =>http://localhost/dbping.php
    [force_response_1_0] => 1
    [REMOTE_PORT] => 55018
    [REDIRECT_STATUS] => 200
    [PHPPATH] => /var/www/phplib
    [Authorization] => blah
    [REQUEST_URI] => /dbping.php
    [REDIRECT_USER] => apache
    [REDIRECT_RUN_DIR] => /home/dmiller/run
    [RUN_DIR] => /home/dmiller/run
    [DISABLE_ORM_APC] => 1
    [SCRIPT_FILENAME] => /var/www/dbping.php
    [SCRIPT_URI] => http://localhost/dbping.php
    [REDIRECT_atlas_request] => 0
    [LOCALE] => en-US
    [USER] => apache
    [REDIRECT_HANDLER] => hhvm-php-extension
    [REDIRECT_force_response_1_0] => 1
    [REMOTE_ADDR] => 10.101.246.18
    [REDIRECT_URL] => /dbping.php
    [PHP_SELF] => /dbping.php/dbping.php
    [HTTPS] =>
    [argv] => Array
        (
            [0] =>
        )

    [argc] => 1
    [THREAD_TYPE] => Web Request
)

===================================================================================================================
Array
(
    [Accept] => */*
    [Host] => dmiller2.vm.ny5.etsy.com:7087
    [User-Agent] => curl/7.30.0
)

Note that the Authorization header is present in $_SERVER, but not in apache_request_headers().

And if you added a header other than Authorization, say 'foo', it works just fine: curl -H "Authorization: blah" -H "Foo: bar" http://localhost/dbping.php

Array
(
    [REQUEST_START_TIME] => 1416343091
    [REQUEST_TIME] => 1416343091
    [REQUEST_TIME_FLOAT] => 1416343091.525
    [HTTP_FOO] => bar
    [HTTP_ACCEPT] => */*
    [HTTP_HOST] => localhost
    [HTTP_USER_AGENT] => curl/7.30.0
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_ADDR] => 10.100.8.248
    [SERVER_NAME] => localhost
    [SERVER_PORT] => 7087
    [SERVER_SOFTWARE] => Apache
    [SERVER_PROTOCOL] => HTTP/1.1
    [SERVER_SIGNATURE] =>
    [REDIRECT_URL] => /dbping.php
    [DOCUMENT_ROOT] => /var/www
    [REDIRECT_api_request] => 1
    [CSRF_LOG_FILE] => /var/log/httpd/csrf_failures.log
    [PATH] => /sbin:/usr/sbin:/bin:/usr/bin
    [SCRIPT_NAME] => /dbping.php
    [REDIRECT_CSRF_LOG_FILE] => /var/log/httpd/csrf_failures.log
    [REDIRECT_SCRIPT_URL] => /dbping.php
    [SCRIPT_URL] => /dbping.php
    [PATH_INFO] => /dbping.php
    [REDIRECT_LOCALE] => en-US
    [PATH_TRANSLATED] => /var/www
    [REDIRECT_SCRIPT_URI] => http://localhost/dbping.php
    [force_response_1_0] => 1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] =>
    [Authorization] => blah
    [PHPPATH] => /var/www/
    [REDIRECT_STATUS] => 200
    [REMOTE_PORT] => 55189
    [REQUEST_URI] => /dbping.php
    [REDIRECT_USER] => apache
    [SCRIPT_FILENAME] => /var/www/dbping.php
    [DISABLE_ORM_APC] => 1
    [REDIRECT_RUN_DIR] => /home/dmiller/run
    [REDIRECT_DISABLE_ORM_APC] => 1
    [RUN_DIR] => /home/dmiller/run
    [SCRIPT_URI] => http://localhost/dbping.php
    [REDIRECT_atlas_request] => 0
    [LOCALE] => en-US
    [USER] => apache
    [REDIRECT_HANDLER] => hhvm-php-extension
    [REDIRECT_force_response_1_0] => 1
    [REMOTE_ADDR] => 10.101.246.18
    [PHP_SELF] => /dbping.php/dbping.php
    [HTTPS] =>
    [argv] => Array
        (
            [0] =>
        )

    [argc] => 1
    [THREAD_TYPE] => Web Request
)

===================================================================================================================
Array
(
    [Foo] => bar
    [Accept] => */*
    [Host] => localhost
    [User-Agent] => curl/7.30.0
)

This breaks the Oauth extension which expects apache_request_headers() to return the Authorization header.

paulbiss commented 9 years ago

Fix is up internally D1689097

paulbiss commented 9 years ago

Commit message was truncated 60ed68cc1697a897a90a1712e8aa040235efc8a5 :/