www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Ford <sf...@futuresource.com>
Subject mod_auth-any/606: POST to an htaccess-protected cgi doesn't challange user
Date Thu, 22 May 1997 20:40:02 GMT

>Number:         606
>Category:       mod_auth-any
>Synopsis:       POST to an htaccess-protected cgi doesn't challange user
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu May 22 13:40:01 1997
>Originator:     sford@futuresource.com
>Organization:
apache
>Release:        1.2b10
>Environment:
FreeBSD 2.1.7.1, gcc version 2.6.3
>Description:
I have a CGI script in a directory that has an ".htaccess" file requiring
the user to belong to a certain group.  If I enter that CGI URL as a browser
location, it correctly challanges me for username and password.  The same thing
happens when I get to the CGI via the "GET" method.  In both cases, the script
is run with the "REMOTE_USER" environment variable set to the username, and
the access log file shows the access coming from username.

However, if I get there via a POST method (with a freshly started browser, of
course), it lets me right into the script.  Unlike the above two methods, the
script is run _without_ "REMOTE_USER" set, and the access log file shows the
access coming from user "-".  No error messages appear in the error log.

The above behavior also happens if the browser has already supplied the username
and password.  I.e., the script is run without "REMOTE_USER" set and the access
log shows the user "-".

It's as if apache forgets to check for ".htaccess" when the method is POST.

FYI - I don't know if it makes any difference, but the CGI is under a virtual
server.  Also, the cgi-bin directory is under the document tree, with an
appropriate ScriptAlias in the httpd.conf file.
>How-To-Repeat:
Available on request.
>Fix:

>Audit-Trail:
>Unformatted:



Mime
View raw message