httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: Passing passwords to CGI
Date Wed, 04 Aug 1999 12:11:57 GMT


On Wed, 4 Aug 1999, Graham Leggett wrote:

> I have the need for a CGI program to know the username and password the
> user logged in with, so that I can use this info to bind to an LDAP
> server. I know that the username is passed in the environment, but what
> about the password? Can Apache do this?
> 
> If not, are there security issues with passing the password in the
> environment? Anyone know of any patches so that Apache can do this?

Yes; but you really do not want to :-)
 
> Is there a "correct" way of doing this?

No, of course not :-) but the solution is

Adding to your cflags

	CFLAGS += -DSECURITY_HOLE_PASS_AUTHORIZATION

Do a grep in the source (util_script.c) for the full story.

Dw.


        /*
         * You really don't want to disable this check, since it leaves you
         * wide open to CGIs stealing passwords and people viewing them
         * in the environment with "ps -e".  But, if you must...
         */
#ifndef SECURITY_HOLE_PASS_AUTHORIZATION
        else if (!strcasecmp(hdrs[i].key, "Authorization")
                 || !strcasecmp(hdrs[i].key, "Proxy-Authorization")) {
            continue;
        }
#endif
        else {
            ap_table_addn(e, http2env(r->pool, hdrs[i].key), hdrs[i].val);
        } 
  



Mime
View raw message