httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@ast.cam.ac.uk (David Robinson)
Subject authentication of included documents
Date Tue, 04 Apr 1995 16:16:00 GMT
This may not be much of an issue, but I'll mention it anyway...

Suppose I have a parsed html file, /john/secret.shtml that is protected
by basic authentication in the realm (kingdom?) JohnsStuff.
This file #includes's another document, /david/bb.html, which is also
protected, in the realm TheBB.

What should httpd do when a user accesses /john/secret.shtml with a correct
username & password for the JohnsStuff realm? At present, it will look up
the username and password in the TheBB realm, and if there is a match then
the #include will succeed.

This seems wrong to me. The client has only provided credentials for the
JohnsStuff realm, so it shouldn't be able to access files in the TheBB realm.
Of course, the actually probability of a security hole because two independent
users have the same usernames and passwords is small.

I think that httpd should disallow includes (and execs) of documents in
different realms. What do folks think?

 David.

Mime
View raw message