httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject [PATCH] define to allow passing of Authorization header
Date Sat, 01 Nov 1997 03:45:28 GMT
Anyone agree with the below?  It simply adds an (undocumented) define to
allow people to pass the Authorization header to scripts.

I'm not entirely convinced about this; I really don't think it is worth
the overhead of a runtime config option, since most people are too dumb to
know what they are doing, but it can be useful in some limited situations.
An argument against this is that any moron should be able to figure out to
delete the two lines; the ifdef + comment are extra documentation in a way

In any case, either people go for this and it is added or PR#549 is closed
saying that we can find no way to justify support for such a thing at the
current time.

Things like mod_auth_external are far better for the vast majority of
possible uses of this anyway.

Index: util_script.c
RCS file: /export/home/cvs/apachen/src/main/util_script.c,v
retrieving revision 1.82
diff -u -r1.82 util_script.c
--- util_script.c	1997/10/24 15:40:55	1.82
+++ util_script.c	1997/11/01 03:35:59
@@ -186,8 +186,15 @@
 	    table_set(e, "CONTENT_TYPE", hdrs[i].val);
 	else if (!strcasecmp(hdrs[i].key, "Content-length"))
 	    table_set(e, "CONTENT_LENGTH", hdrs[i].val);
+	/*
+	 * You really don't want to disable this check, since it leaves you
+	 * wide open to CGIs stealing passwords and people viewing them
+	 * in the environment with "ps -e".  But, if you must...
+	 */
 	else if (!strcasecmp(hdrs[i].key, "Authorization"))
 	    table_set(e, http2env(r->pool, hdrs[i].key), hdrs[i].val);

View raw message