MFB.

diff --git a/NEWS b/NEWS
index 97426ee5cf034d8879045d081bb264e40908b061..c7c7160aba7f335f6afdfbb52ae3a6f0b3135592 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,8 @@ PHP 4                                                                      NEWS
 
 
 ? ? ??? 2002, Version 4.3.0
+- Make PHP_AUTH_* variables not available in safe mode under Apache when an
+  external basic auth mechanism is used. (Philip)
 - Aliased dba_popen() to dba_open() until 4.3.1 when persistent STDIO streams
   are introduced. (Andrei)
 - Fixed a security bug in the bundled MySQL library. (Georg, Stefan)

diff --git a/sapi/apache/mod_php4.c b/sapi/apache/mod_php4.c
index ad7a1697bc1208496ddfc2a9a4400814b62e3cd4..d5333dec8ea3de0f36c91c5c9a51a3d0e32ce035 100644 (file)
--- a/sapi/apache/mod_php4.c
+++ b/sapi/apache/mod_php4.c
@@ -448,7 +448,7 @@ static void init_request_info(TSRMLS_D)
                authorization = table_get(r->headers_in, "Authorization");
        }
        if (authorization
-               && !auth_type(r)
+               && (!PG(safe_mode) || (PG(safe_mode) && !auth_type(r)))
                && !strcasecmp(getword(r->pool, &authorization, ' '), "Basic")) {
                tmp = uudecode(r->pool, authorization);
                SG(request_info).auth_user = getword_nulls_nc(r->pool, &tmp, ':');