httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: How apache can pass the Authorization: header to a script ? (was: Re: Apache CGI Authentication) (fwd)
Date Mon, 10 Nov 1997 16:32:19 GMT
On Mon, 10 Nov 1997, Dirk-Willem van Gulik wrote:

> On Mon, 10 Nov 1997, Marc Slemko wrote:
> > Should we be chopping out the Proxy-Authorization before it is passed to
> > CGIs as well?
> Hmm, the proxy does _not_ pass it on I beleive when carrying it out its
> duty as a proxy to the final origin server. So this seems correct to me.
> Apache in general could of course be set up to have some backend CGI
> doing some proxying; in which case it is perfectly entitled to see those 
> strings; it propably provoced them with a 407 anyway.

I am not talking about proxy, just passing to CGI.  Authorization: is not
passed to CGI scripts for valid security reasons.  I am suggesting that
Proxy-Authorization should be treated exactly the same way.  It is not
secure to pass to CGIs so it should not be allowed.

View raw message