httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: Passing passwords to CGI
Date Wed, 04 Aug 1999 13:28:08 GMT


On Wed, 4 Aug 1999, Graham Leggett wrote:

> Dirk-Willem van Gulik wrote:
> 
> > > Is there a "correct" way of doing this?
> > 
> > No, of course not :-) but the solution is
> > 
> > Adding to your cflags
> > 
> >         CFLAGS += -DSECURITY_HOLE_PASS_AUTHORIZATION
> > 
> > Do a grep in the source (util_script.c) for the full story.
> 
> Here's a thought - how about including the capability for passwords to
> be inserted into the POST data that a CGI reads via stdin, ie the
> password could be read as if it was simply another option on a form.
> 
> The name of this POST variable would be configurable so it didn't clash
> with any existing variables in CGI.
> 
> Is this a good idea? If so, I'll try get it to work.

I think that the point is; it is potentially bad on a multi user system
where you might not trust all and everyone, to let the password enter
the less controlled cgi/ssi etc environment.

Once you are convinced that you need it in that environment, and that it
is a good tradeooff you can as well recompile with the GAPING-BIG-SECURITY
hole settings. 

IMHO Your POST is just a work around the fact that you have to re-compile. 


In that case why not tackle it head on and make it a configure directive;
i.e. add a

	'GapingWideSecurityAndIveSignedaDisclaimerInBlood <on|off>'

to the core directives. And see if you get rattle any -1 veto's out of
people for inclusion.

Dw



Mime
View raw message