DokuWiki

It's better when it's simple

User Tools

Site Tools


plugin:authhttp:discussion

Problems with 2014-05-05b and later

While this plugin works well for me in 2014-05-05a, it is broken for my setup in 2014-05-05b and newer releases. This is most likely due to the fix applied for the Null byte poisoning in LDAP authentication problem described at: http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication

The hotfix was as follows:

diff -r dokuwiki-2014-05-05a/inc/auth.php dokuwiki-2014-05-05b/inc/auth.php
98c98
<     // apply cleaning
---
>     // apply cleaning (auth specific user names, remove control chars)
100c100,101
<         $INPUT->set('u', $auth->cleanUser($INPUT->str('u')));
---
>         $INPUT->set('u', $auth->cleanUser(stripctl($INPUT->str('u'))));
>         $INPUT->set('p', stripctl($INPUT->str('p')));
231c232
<         if($auth->checkPass($user, $pass)) {
---
>         if(!empty($pass) && $auth->checkPass($user, $pass)) {

My guess is that the password ($pass) may be empty during HTTP authentication mechanisms (I'm using LemonLDAP to provide both LDAP and GoogleApps authentication).

A simple fix for my setup was to revert part of this change using:

sed -i 's,if(!empty($pass) && ,if(,' inc/auth.php

Problems mit Server API CGI/FASTCGI

I tried to use this plugin but it failed with error (“No credentials found, is HTTP authentication enabled in your Webserver?”

This is because my PHP is running as CGI / FASTCGI.

you can see this in phpinfo()

Server API CGI/FastCGI

(instead of Server API Apache 2.0 handler)

This website helped me to fix this problem: http://die.netzspielwiese.de/blog/server/2012-03/http-autorisierungsscript-in-php-mit-und-ohne-cgi-mode

How to solve the problem: 1.) Add to your .htaccess

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

2.) modify the plugin: modify <dokuwiki>/lib/plugins/authhttp/auth.php

Add Line: 56
 list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

so that it now reads:

 /* Make sure that HTTP authentication has been enabled in the Web
           server. Note that does not seem to work with PHP >= 4.3.0 and safe
           mode enabled! */
        list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
        if ($_SERVER['PHP_AUTH_USER'] == "") {
            msg($this->getLang('nocreds'), -1);
            $this->success = false;
            return;

Plugin is working fine. Only one authentication in the http browser!

plugin/authhttp/discussion.txt · Last modified: 2014-10-09 06:50 by 111.69.36.130