httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: [PATCH] define to allow passing of Authorization header
Date Sat, 01 Nov 1997 21:41:13 GMT
+1 on this, but I'd also +1 it if you changed the define to
HUGE_SECURITY_HOLE_PASSING_AUTHORIZATION_TO_CGI and documented it that
way... 

Dean

On Fri, 31 Oct 1997, Marc Slemko wrote:

> Anyone agree with the below?  It simply adds an (undocumented) define to
> allow people to pass the Authorization header to scripts.
> 
> I'm not entirely convinced about this; I really don't think it is worth
> the overhead of a runtime config option, since most people are too dumb to
> know what they are doing, but it can be useful in some limited situations.
> An argument against this is that any moron should be able to figure out to
> delete the two lines; the ifdef + comment are extra documentation in a way
> though...
> 
> In any case, either people go for this and it is added or PR#549 is closed
> saying that we can find no way to justify support for such a thing at the
> current time.
> 
> Things like mod_auth_external are far better for the vast majority of
> possible uses of this anyway.
> 
> Index: util_script.c
> ===================================================================
> RCS file: /export/home/cvs/apachen/src/main/util_script.c,v
> retrieving revision 1.82
> diff -u -r1.82 util_script.c
> --- util_script.c	1997/10/24 15:40:55	1.82
> +++ util_script.c	1997/11/01 03:35:59
> @@ -186,8 +186,15 @@
>  	    table_set(e, "CONTENT_TYPE", hdrs[i].val);
>  	else if (!strcasecmp(hdrs[i].key, "Content-length"))
>  	    table_set(e, "CONTENT_LENGTH", hdrs[i].val);
> +	/*
> +	 * You really don't want to disable this check, since it leaves you
> +	 * wide open to CGIs stealing passwords and people viewing them
> +	 * in the environment with "ps -e".  But, if you must...
> +	 */
> +#ifndef PASS_AUTHORIZATION
>  	else if (!strcasecmp(hdrs[i].key, "Authorization"))
>  	    continue;
> +#endif
>  	else
>  	    table_set(e, http2env(r->pool, hdrs[i].key), hdrs[i].val);
>      }
> 
> 


Mime
View raw message