ZF-8825: Zend_Auth_Adapter_Http::authenticate() looks for 'Authorization' header when 'authorization' is also valid


A customer of ours was trying to authenticate to our app using basic authentication and python httplib2. It turns out that httplib2 lowercases headers before sending (which appears to be valid). From the HTTP/1.1 spec: {quote} 4.2 Message Headers

HTTP header fields, which include general-header (section 4.5), request-header (section 5.3), response-header (section 6.2), and entity-header (section 7.1) fields, follow the same generic format as that given in Section 3.1 of RFC 822 [9]. Each header field consists of a name followed by a colon (":") and the field value. Field names are case-insensitive. ... {quote} This would affect both basic and digest auth.

In looking at Zend_Controller_Request_Http::getHeader() one can see that the first attempt to find the header is a look at the $SERVER superglobal which has all uppercase keys for HTTP* headers. Since the 'authorization' header is not in the $_SERVER array, the apache_request_headers() response is then searched.

My first thought would be to alter the fallback in Zend_Controller_Request_Http::getHeader() to strtoupper() the apache_request_headers() resulting array keys. This would match the _SERVER style.

Here's a diff:

< if (!empty($headers[$header])) {

< return $headers[$header];

    $headers = array_change_key_case($headers, CASE_UPPER);
        if (!empty($headers[strtoupper($header)])) {
            return $headers[strtoupper($header)];


I also bumped into this issue when using CordovaJS library, see:

In Zend\Http\PhpEnvironment\Request::setServer you check for 'Authorization' with capital 'A' only:

// This seems to be the only way to get the Authorization header on Apache if (function_exists('apache_request_headers')) { $apacheRequestHeaders = apache_request_headers(); if (!isset($this->serverParams['HTTP_AUTHORIZATION']) && isset($apacheRequestHeaders['Authorization']) ) { $this->serverParams->set('HTTP_AUTHORIZATION', $apacheRequestHeaders['Authorization']); } }

Looks like a quick fix :)

From what I can see, this is fixed on current trunk, and was fixed with r22212 (by Bradley Holt, on 20 May 2010, and available since 1.10.5), which implemented case-insensitive lookups for headers.