added shibboleth_getenv

[cjbnc]

We're running various hosting services on our campus using different installations of PHP. Some folks have mod_php with the standard behavior. Others are using Apache + mod_fastcgi + php-fpm. On those servers, the Apache httpd rewrites all the environment variables from Shibboleth by prefixing them with 'REDIRECT_'. So for example,

eppn => REDIRECT_eppn
givenName => REDIRECT_givenName
etc.

One of our problems is that we'd like to offer the ability to move to newer PHP versions on the same server, which means moving from mod_php to mod_fastcgi and hoping that we don't break Wordpress and this Shibboleth plugin in particular.

The pull request is to include the code that I added to allow this plugin to handle Shibboleth environment variables the same way, regardless of whether the PHP engine is running as mod_php or mod_fastcgi. I've tested this modification on my Wordpress 4.2.2 test server, using mod_php 5.3.x and mod_fastcgi+php-fpm 5.4.x, 5.5.x, and 5.6.x. It appears to work correctly and transparently.

[jrchamp]

Overall, very nice. Happy to see that this is working on a larger variety of setups.

[cjbnc]

I agree with jrchamp's suggestions. I've replaced my function with his and tested it on my server. Still works as expected.

[ck-ws]

@cjbnc, would you update this PR so that it doesn't conflict any longer, please? mitcho may accept it then.

[jrchamp]

Here's the rebased copy I'm using: master...jrchamp:pr_getenv

[ck-ws]

@mitcho, would you mind to merge the pull request with the rebased copy by jrchamp?

[srguglielmo]

Hi all,

I'm trying to identify why this is needed (for srguglielmo/SimpleShib#1). I'm running Apache 2.4, PHP 7.0 via FPM and mod_proxy_fcgi. My HTTP headers are not prefixed with REDIRECT_ (or anything else).

Additionally, I confirmed in the PHP IRC support channel on Freenode that this is non-standard and HTTP headers are not prefixed automatically based on mod_php/fpm/etc.

In rfc3875 section 4.1.18:

Meta-variables with names beginning with "HTTP_" contain values read
from the client request header fields, if the protocol used is HTTP.
The HTTP header field name is converted to upper case, has all
occurrences of "-" replaced with "" and has "HTTP" prepended to
give the meta-variable name.

However, Apache's mod_shib sends headers without the HTTP_ prefix (preventing client forgery). As such, the shib headers should be accessed via $_SERVER['eppn'].

What are the details of the environment in which this is happening? Even if the environment is behind a reverse proxy, the headers are generated via mod_shib on the local Apache instance and should not change...

[jrchamp]

It's likely that the REDIRECT_ prefix is being added by mod_rewrite

[cjbnc]

All of my webservers still running RHEL6 + Apache 2.2.15 + mod_fastcgi-2.4.6 + php-fpm have this behavior.
So does my RHEL7/Apache 2.4 based cpanel server running its PHP version picker (which I believe is fpm based).

[srguglielmo]

Ok, I did some research on this. I think the difference is the cgi module being used. It looks like there's three available:

• mod_fastcgi, a 3rd party Apache module released under a custom open-source license. Website offline, not sure if this is supported upstream (but there seem to be forks around).
• mod_fcgid, originally 3rd party, but moved to Apache core in 2009.
• mod_proxy_fcgi, new in Apache 2.4, officially part of Apache core.

I'm using mod_proxy_fcgi in 2.4 on RHEL7. I created a ticket to track this for my plugin.

Thanks for the info!

Sources:
https://serverfault.com/a/783176
https://en.wikipedia.org/wiki/FastCGI#Web_Servers_that_implement_FastCGI

[michaelryanmcneill]

Hello, thank you for submitting this patch. I released version 1.8 today to resolve this and other issues and included a shoutout for your patch. I am the new maintainer of the plugin and all further work on the plugin will be done in a new GitHub repository. If you have any further issues, please don't hesitate to report them in the new repository.