[#ZBX-23964] api_scim.php authentication bearer case sensitive

[ZBX-23964] api_scim.php authentication bearer case sensitive Created: 2024 Jan 19 Updated: 2025 Feb 13
Status:	Confirmed
Project:	ZABBIX BUGS AND ISSUES
Component/s:	Frontend (F)
Affects Version/s:	6.4.10, 7.0.0alpha9
Fix Version/s:	None

Type:

Problem report

Priority:

Major

Reporter:

A.J. Goedhart

Assignee:

Zabbix Development Team

Resolution:

Unresolved

Votes:

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Environment:

Tested at VM installation with apache
Testet ad Docker installation with apache

Description

Steps to reproduce:

Install simple environment and enable SAML (no need for a working SAML environment)
Create API key with super admin rights
curl -v -X GET http://localhost/api_scim.php/Users?filter=userName+eq+%2208804361-82b0-4acd-b2ab-1be9fc33e797%22 -H "authorization: Bearer 91c1c211776400ccb0af2cca42057297f486394fc94bc9e6fce2c192f0c46580"

Result:

{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Not authorized.","status":403}

Expected:
If using Authorization with capital A:
curl -v -X GET http://localhost/api_scim.php/Users?filter=userName+eq+%2208804361-82b0-4acd-b2ab-1be9fc33e797%22 -H "Authorization: Bearer 91c1c211776400ccb0af2cca42057297f486394fc94bc9e6fce2c192f0c46580

Result:

{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"totalResults":0,"Resources":[]}

According to [HTTP Protocol specification|
https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2], HTTP headers need to be case insenitive.

Comments

Comment by Paul [ 2024 Aug 13 ]

Reproduced the same issue on 7.0.2

Comment by Matthieu Berthomé [ 2025 Feb 13 ]

I have the same issue, found it trying to call the API behind haproxy
Haproxy now defaults to store and send HTTP headers in lowercase (as a way to do the same thing for HTTP/1 and HTTP/2), so the way the Authorization header is checked on this line

https://github.com/zabbix/zabbix/blob/f0965b748e3f06463885497b4fc07f1250d8fd2d/ui/include/classes/core/CHttpRequest.php#L68

is not compliant with HTTP specs (the getallheaders function returns a case sensitive array)

Generated at Sun Jun 01 12:04:38 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.

[ZBX-23964] api_scim.php authentication bearer case sensitive Created: 2024 Jan 19 Updated: 2025 Feb 13