added shibboleth_getenv

[cjbnc]

We're running various hosting services on our campus using different installations of PHP. Some folks have mod_php with the standard behavior. Others are using Apache + modfastcgi + php-fpm. On those servers, the Apache httpd rewrites all the environment variables from Shibboleth by prefixing them with 'REDIRECT'. So for example,

eppn => REDIRECT_eppn
givenName => REDIRECT_givenName
etc.

One of our problems is that we'd like to offer the ability to move to newer PHP versions on the same server, which means moving from mod_php to mod_fastcgi and hoping that we don't break Wordpress and this Shibboleth plugin in particular.

The pull request is to include the code that I added to allow this plugin to handle Shibboleth environment variables the same way, regardless of whether the PHP engine is running as mod_php or mod_fastcgi. I've tested this modification on my Wordpress 4.2.2 test server, using mod_php 5.3.x and mod_fastcgi+php-fpm 5.4.x, 5.5.x, and 5.6.x. It appears to work correctly and transparently.

[jrchamp]

Overall, very nice. Happy to see that this is working on a larger variety of setups.

[cjbnc]

I agree with jrchamp's suggestions. I've replaced my function with his and tested it on my server. Still works as expected.

[ck-ws]

@cjbnc, would you update this PR so that it doesn't conflict any longer, please? mitcho may accept it then.

[jrchamp]

Here's the rebased copy I'm using: https://github.com/mitcho/shibboleth/compare/master...jrchamp:pr_getenv

[ck-ws]

@mitcho, would you mind to merge the pull request with the rebased copy by jrchamp?

[srguglielmo]

Hi all,

I'm trying to identify why this is needed (for srguglielmo/SimpleShib#1). I'm running Apache 2.4, PHP 7.0 via FPM and mod_proxy_fcgi. My HTTP headers are not prefixed with _REDIRECT__ (or anything else).

Additionally, I confirmed in the PHP IRC support channel on Freenode that this is non-standard and HTTP headers are not prefixed automatically based on mod_php/fpm/etc.

In rfc3875 section 4.1.18:

Meta-variables with names beginning with "HTTP" contain values read from the client request header fields, if the protocol used is HTTP. The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "" and has "HTTP_" prepended to give the meta-variable name.

However, Apache's modshib sends headers without the HTTP prefix (preventing client forgery). As such, the shib headers should be accessed via $_SERVER['eppn'].

What are the details of the environment in which this is happening? Even if the environment is behind a reverse proxy, the headers are generated via mod_shib on the local Apache instance and should not change...

[jrchamp]

It's likely that the REDIRECT_ prefix is being added by mod_rewrite

[cjbnc]

All of my webservers still running RHEL6 + Apache 2.2.15 + mod_fastcgi-2.4.6 + php-fpm have this behavior. So does my RHEL7/Apache 2.4 based cpanel server running its PHP version picker (which I believe is fpm based).

[srguglielmo]

Ok, I did some research on this. I think the difference is the cgi module being used. It looks like there's three available:

• mod_fastcgi, a 3rd party Apache module released under a custom open-source license. Website offline, not sure if this is supported upstream (but there seem to be forks around).
• mod_fcgid, originally 3rd party, but moved to Apache core in 2009.
• mod_proxy_fcgi, new in Apache 2.4, officially part of Apache core.

I'm using mod_proxy_fcgi in 2.4 on RHEL7. I created a ticket to track this for my plugin.

Thanks for the info!

Sources: https://serverfault.com/a/783176 https://en.wikipedia.org/wiki/FastCGI#Web_Servers_that_implement_FastCGI

[michaelryanmcneill]

Hello, thank you for submitting this patch. I released version 1.8 today to resolve this and other issues and included a shoutout for your patch. I am the new maintainer of the plugin and all further work on the plugin will be done in a new GitHub repository. If you have any further issues, please don't hesitate to report them in the new repository.