www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guntram Blohm <...@www5.mercedes-benz.com>
Subject general/1114: Apache does not pass Authorization header to CGI scripts
Date Thu, 11 Sep 1997 08:30:02 GMT

>Number:         1114
>Category:       general
>Synopsis:       Apache does not pass Authorization header to CGI scripts
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Thu Sep 11 01:30:01 1997
>Originator:     gbl@www5.mercedes-benz.com
>Organization:
apache
>Release:        1.2.4 and older
>Environment:
independent of OS/Compiler
>Description:
Lines 182/183 of util_script.c say

        else if (!strcasecmp (hdrs[i].key, "Authorization"))
            continue;

which prevents Authorization headers from being passed to CGI scripts,
to avoid password-stealing. I have an environment where 
1) authorization checking is very complex, and i can't use one of the available modules
2) the script needs to know which user is calling it.

In my case, i know that i'm the only one to write scripts for this server,
so i could afford to just comment the above two lines out.
>How-To-Repeat:

>Fix:
Introduce a new option into access.conf - say, Options PassAuth,
which is disabled per default, would enable passing Authorization
headers for a specific directory. This would not change the default behaviour,
but allow system managers to allow auth headers to be passed for certain
directories in which the scripts are considered to be non-malicious.
%0
>Audit-Trail:
>Unformatted:



Mime
View raw message