ZF-8825: Zend_Auth_Adapter_Http::authenticate() looks for 'Authorization' header when 'authorization' is also valid

Issue Type: Bug Created: 2010-01-14T14:42:30.000+0000 Last Updated: 2013-01-10T20:19:23.000+0000 Status: Resolved Fix version(s): Reporter: Marc Guyer (marcguyer) Assignee: Bradley Holt (bradley.holt) Tags: - Zend_Controller

Related issues: Attachments:


A customer of ours was trying to authenticate to our app using basic authentication and python httplib2. It turns out that httplib2 lowercases headers before sending (which appears to be valid). From the HTTP/1.1 spec: {quote} 4.2 Message Headers

HTTP header fields, which include general-header (section 4.5), request-header (section 5.3), response-header (section 6.2), and entity-header (section 7.1) fields, follow the same generic format as that given in Section 3.1 of RFC 822 [9]. Each header field consists of a name followed by a colon (":") and the field value. Field names are case-insensitive. ... {quote} This would affect both basic and digest auth.

In looking at Zend_Controller_Request_Http::getHeader() one can see that the first attempt to find the header is a look at the $SERVER superglobal which has all uppercase keys for HTTP* headers. Since the 'authorization' header is not in the $_SERVER array, the apache_request_headers() response is then searched.

My first thought would be to alter the fallback in Zend_Controller_Request_Http::getHeader() to strtoupper() the apache_request_headers() resulting array keys. This would match the _SERVER style.

Here's a diff:

< if (!empty($headers[$header])) {

< return $headers[$header];

$headers = array_change_key_case($headers, CASE_UPPER); if (!empty($headers[strtoupper($header)])) { return $headers[strtoupper($header)];


Posted by Natalia Bartol (natalia.b) on 2012-11-14T18:25:04.000+0000

I also bumped into this issue when using CordovaJS library, see:

In Zend\Http\PhpEnvironment\Request::setServer you check for 'Authorization' with capital 'A' only:

// This seems to be the only way to get the Authorization header on Apache if (function_exists('apache_request_headers')) { $apacheRequestHeaders = apache_request_headers(); if (!isset($this->serverParams['HTTP_AUTHORIZATION']) && isset($apacheRequestHeaders['Authorization']) ) { $this->serverParams->set('HTTP_AUTHORIZATION', $apacheRequestHeaders['Authorization']); } }

Looks like a quick fix :)

Posted by Matthew Weier O'Phinney (matthew) on 2013-01-10T20:18:43.000+0000

From what I can see, this is fixed on current trunk, and was fixed with r22212 (by Bradley Holt, on 20 May 2010, and available since 1.10.5), which implemented case-insensitive lookups for headers.

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.