httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <>
Subject Re: Authorization checking
Date Wed, 10 Apr 1996 15:43:07 GMT
So what's proposed is that CGI-BIN scripts should have access to
the incoming passwords by receiving them in HTTP_THE_PASSWORD_FOR_TODAY_IS
environment variables?  If this were done, (it's a one line hack,
if not a -1line hack since you need to remove an 'if' statement)
then there should be some way to prevent passwords being passed to
*all* the CGI/SSI environment regardless.

This is because we really don't want to release a 1.1 that suddenly
allows anyone in the world to capture and otherwise abuse the
security set up on thousands of sites.

A directive like:

    AuthTrusted <path>

could work to pass the full uncensored header set to any pages/scripts
falling under path so:

    # webmaster's personal set of password assigning scripts
    AuthTrusted /cgi-bin/secure/
    # the subscriber page has some funky SSI which needs to
    # see the password
    AuthTrusted /subscribers/

If people *want* to play with the passwords then lettem, but only
with the webadmin's consent, and keep the default behaviour as it
is now.



> I am not sure wether the message attached below has reached the 
> list.
> Essentially what the guy is proposing is to alway pass along the auth
> information to cgi-scripts. (Or pass all header info along), even
> if there is no auth set in apache.
> This would allow client scripts, by using an modifed status reply
> to 'fake' or do their own authorization control.
> I think this is a very good idea.
> If no one objects or has better ideas I will look into this and
> ensure that all information from the header gets passed to the
> cgi-scripts regardless of the auth checking. This is IMHO a
> good thing anyway.
> Of course, this does imply that the cgi authors will have to
> be responsible for their own security stuff :-)
> Dw.
> ----- Begin Included Message -----
> >From Tue Apr  9 21:51:46 1996
> From:
> Date: Tue, 9 Apr 96 15:49:47 EDT
> Cc:,,
> Subject: Apache Authorization header handling
> Content-Length: 2678
> This is not a bug-report per se, but making a suggestion in the 
> context of discussing implementation for Authorization of
> cgi-programs.
> Apache has choosen to only pass to a cgi program a portion of
> the "Authorization" header, and then only when the cgi-program
> is subject to Authorization checking due to the presense
> of a file like '.htaccess' in the directory with the program.
> Under thos conditions, the 'username' is passed to "REMOTE_USER", 
> the password is not passed.  
> I submit that an improved performance should be used:
> in the case that an "Authorization" header is sent by the
> client, but the target cgi-program is not subject to
> Authorization checking, that the contents of the
> "Authorization" header be placed into an environmental
> Why, you ask?  This allows programs/scripts to assign and administer
> usernames and passwords.  A client accessing the script
> without an "Authorization" header is sent a 401 response
> using an nph- script.
> When they respond with an authorization header, the 
> username and password are checked BY THE SCRIPT against
> the group and password files (or DBM files).  In the
> case that the username exists and the password matches, 
> the script allows access to the restricted information.
> In the case that the username does not exist, the 
> username and password may be added to the authorization files.
> This performance is not possible with the present handling
> of the "Authorization" header.
> The documentation I can find is hazy about what to do:
> "In addition to these, the header lines received from the client, if any, 
> are placed into the environment with the prefix HTTP_ followed by the 
> header name. Any - characters in the header name are changed to _ 
> characters. The server may exclude any headers which it has already 
> processed, such as Authorization, Content-type, and Content-length. If
> necessary, the server may choose to exclude any or all of these headers 
> if including them would exceed any system environment limits. "
> My reading of this would be that "may exclude" means that what I
> suggest is reasonable.  Hey, after all, you pass "Content-length";
> why not Authorization?
> On that point, can someone tell me how to change the source code so that
> the Authorization header is handed off to "HTTP_AUTHORIZATION"?
> I can barely read C, and this is not clear to me in the cgi-module
> source code.  I assume this is not passed off at some point because
> it is handled as an exception, but where, where, where?
> Thanks.  Regards, Mike West
> ----- End Included Message -----

View raw message