httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: Passing passwords to CGI
Date Wed, 04 Aug 1999 12:11:57 GMT

On Wed, 4 Aug 1999, Graham Leggett wrote:

> I have the need for a CGI program to know the username and password the
> user logged in with, so that I can use this info to bind to an LDAP
> server. I know that the username is passed in the environment, but what
> about the password? Can Apache do this?
> If not, are there security issues with passing the password in the
> environment? Anyone know of any patches so that Apache can do this?

Yes; but you really do not want to :-)
> Is there a "correct" way of doing this?

No, of course not :-) but the solution is

Adding to your cflags


Do a grep in the source (util_script.c) for the full story.


         * You really don't want to disable this check, since it leaves you
         * wide open to CGIs stealing passwords and people viewing them
         * in the environment with "ps -e".  But, if you must...
        else if (!strcasecmp(hdrs[i].key, "Authorization")
                 || !strcasecmp(hdrs[i].key, "Proxy-Authorization")) {
        else {
            ap_table_addn(e, http2env(r->pool, hdrs[i].key), hdrs[i].val);

View raw message