httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: How apache can pass the Authorization: header to a script ? (was: Re: Apache CGI Authentication) (fwd)
Date Mon, 10 Nov 1997 17:15:43 GMT
On Mon, 10 Nov 1997, Marc Slemko wrote:

> On Mon, 10 Nov 1997, Dirk-Willem van Gulik wrote:
> You miss the point.  You can argue about why you should have the
> Authorization: header passed as well.  The point is that it is not secure,
> period.  Any possible uses of it does not make it secure.  

I agree that we seem to be on different wavelengths; Security wise, it is
absolutely essential that the apache, while it is being a proxy to an
untrusted environment, filters out the Proxy-Auth* line prior to passing
it on to the next server. This I absolutely agree with. 

Likewise it is very essential that in an untrusted user environment the
Auth header is zapped as well, prior to passing it on to the CGI script. 

Now the third issue; what if the server is setup to allow CGI scripts to
do proxying on behalf of the user. Now the only Auth header it can get
(and possibly needs to, to do its jobs) is that intented for its role as a
proxy; Proxy-Auth.. i.e. outside mod_auth.c uses.

So the user gives the CGI script a proxy username/password pair which is
only of relevance to the CGI script and cannot be used outside that
context; the CGI script has to do the checking itself (mod_*_auth.c is not
going to do that) and the uid/pwd pair has no relevance to any of the
realms the server itself is responsible for.

The only reason I could see is that it allows easier construction of
troyan horses; i.e. the user might be tempted to enter the wrong uid/pwd
in the wrong place. But so does the usual HTML trickery like 

	<form action="mailto:..">
	Login:  <input><br>
	Passwd: <inputtype="password"><br>
	<input type=submitvalue="login">

?? or am I still not understanding the exact point ??


View raw message