The CGI RFC allows servers to pass Authorization data to the script,

if the server did not use the information contained therein.

See 6.1.5 and 11.2 of the proposed spec.

diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index 7038f2dead710115b96d12b6657444c91c2feed0..fd96320ae431143a9972a97cc25fb0fc98097ea6 100644 (file)
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -276,6 +276,7 @@ static void php_cgi_usage(char *argv0)
 static void init_request_info(SLS_D)
 {
        char *content_length = getenv("CONTENT_LENGTH");
+       const char *auth;
 
 #if 0
 /* SG(request_info).path_translated is always set to NULL at the end of this function
@@ -326,10 +327,14 @@ static void init_request_info(SLS_D)
        SG(request_info).content_type = getenv("CONTENT_TYPE");
        SG(request_info).content_length = (content_length?atoi(content_length):0);
        SG(sapi_headers).http_response_code = 200;
-       /* CGI does not support HTTP authentication */
-       SG(request_info).auth_user = NULL;
-       SG(request_info).auth_password = NULL;
-
+       
+       /* The CGI RFC allows servers to pass on unvalidated Authorization data */
+       if ((auth = getenv("HTTP_AUTHORIZATION"))) {
+               php_handle_auth_data(auth SLS_CC);
+       } else {
+               SG(request_info).auth_user = NULL;
+               SG(request_info).auth_password = NULL;
+       }
 
 }