httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Harris" <dhar...@drh.net>
Subject RE: Passing passwords to CGI
Date Wed, 04 Aug 1999 13:58:14 GMT

> Here's a thought - how about including the capability for passwords to
> be inserted into the POST data that a CGI reads via stdin, ie the
> password could be read as if it was simply another option on a form.
>
> The name of this POST variable would be configurable so it didn't clash
> with any existing variables in CGI.
>
> Is this a good idea? If so, I'll try get it to work.

First, I'd look to see if the whole thing could not be dong with some kind of
authorization handler in mod_perl... I don't know how it would pass information
on to the cgi-script, but if you did everything on mod_perl, then you might not
even need to.

How about creating a file descriptor number three that would be used for
private information (such as this) that needs to be passed between the
webserver and the CGI process. Encoding would be the same as the POST encoding,
and you would just use a environment variable like PRIVATE_CONTENT_LENGTH to
trigger the CGI script that this file descriptor was there to be read from. The
main advantage of this is that you don't have to muck with preventing clashes
in the post form.

Or.. you could add to the post form, but delineate with environment variables
how many bytes were generated by the POST from the client and how many your
module added. Lets say that the client posts 2000 bytes of stuff, and you
encode the password in 30 bytes, you would encode CONTENT_LENGTH=2000 and
PRIVATE_CONTENT_LENGTH=30. This way a well behaved script unaware of this
extension would only read the first 2000 bytes from STDIN and get only the
appropriate form data. A smart script would then read the next 30 bytes and get
the private content stuff.

(The second method with the data loaded onto the same filehandle instead of two
filehandles like the first method may be easier to implement, because you don't
have to create another pipe or bother doing a select on write.)

It would be really nice if you could generalize this with a new table in the
structure.. there is a table for modules to add to the environment of CGI
scripts, but that's insecure.. this is just a secure way to pass stuff.

 - David Harris
   Principal Engineer, DRH Internet Services




Mime
View raw message