www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Forsman <th...@purplefrog.com>
Subject mod_cgi/1972: (RFE) There is no way to pass HTTP Auth information to a CGI script
Date Fri, 20 Mar 1998 20:09:36 GMT

>Number:         1972
>Category:       mod_cgi
>Synopsis:       (RFE) There is no way to pass HTTP Auth information to a CGI script
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Fri Mar 20 12:10:00 PST 1998
>Last-Modified:
>Originator:     thoth@purplefrog.com
>Organization:
apache
>Release:        1.2.5
>Environment:
any
>Description:
In certain cases, it is useful to pass the HTTP auth information to a CGI.
This would allow the CGI to perform authentication without blindly trusting
its environment.  This is highly desirable for setuid CGI scripts which could
be execced in a doctored environment from a compromised httpd account.
>How-To-Repeat:

>Fix:
new directive:

<Directory /home/httpd/cgi-put/put.perl>
PassAuthPassword 5
# passes the HTTP Auth password (if present) in on descriptor 5
</Directory>

  I'm not sure if there's a better choice than Directory, but you get the idea.
%0
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]




Mime
View raw message