Return-Path: 
 <users-return-37765-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 14478 invoked from network); 6 Feb 2004 18:17:58 -0000
Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12)
  by minotaur-2.apache.org with SMTP; 6 Feb 2004 18:17:58 -0000
Received: (qmail 45056 invoked by uid 500); 6 Feb 2004 18:17:15 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 44987 invoked by uid 500); 6 Feb 2004 18:17:15 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
list-post: <mailto:users@httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 44911 invoked from network); 6 Feb 2004 18:17:14 -0000
Received: from unknown (HELO out1.smtp.messagingengine.com) (66.111.4.25)
  by daedalus.apache.org with SMTP; 6 Feb 2004 18:17:14 -0000
X-Sasl-enc: H/ps/viVpzSpX/Qbi7qOkw 1076091436
Received: from usager55-41.hec.ca (usager55-41.hec.ca [132.211.55.41])
	by mail.messagingengine.com (Postfix) with ESMTP id 2791C4D508B
	for <users@httpd.apache.org>; Fri,  6 Feb 2004 13:17:15 -0500 (EST)
Date: Fri, 6 Feb 2004 13:18:04 -0500 (Est)
From: Joshua Slive <joshua@slive.ca>
To: users@httpd.apache.org
In-Reply-To: <4023D081.4040904@3times25.net>
Message-ID: <Pine.WNT.4.58.0402061316240.296@Poste3947.hec.ca>
References: 
 <FAB6A3A2CC5BDB448DADFA1C8C0752966CB3C1@SOMEXEVS001.ex.ordersx.org>
 <4023D081.4040904@3times25.net>
X-X-Sender: slive@fastmail.fm@mail.messagingengine.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
Subject: Re: [users@httpd] do I have access to the user id used in basic
 authentication?
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N


On Fri, 6 Feb 2004, Geoffrey wrote:
> The initial page is static html, but it's a form that's processed by
> perl.  Here's my solution using server side includes, since I wanted to
> be able to pass the value as an input to the cgi:
>
> <input type="hidden" name="userid"
> value="<!--#echo var="REMOTE_USER"-->">
>
> I wrapped it to fit the email, but in the code, it was all on one line.
>
> Which produces the following in the html nicely:
>
> <input type="hidden" name="userid" value="esoteric">

Woh.  This is terribly insecure and should only be used if you don't
really care what userid the cgi script sees.  The user could bypass
your html page and supply any userid it wants to the cgi script.

To make this more secure, you should protect the cgi script itself with
basic auth and look at the REMOTE_USER env variable inside the cgi script.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org