[PATCH] define to allow passing of Authorization header

[Marc Slemko <ma...@znep.com>]

Anyone agree with the below?  It simply adds an (undocumented) define to
allow people to pass the Authorization header to scripts.

I'm not entirely convinced about this; I really don't think it is worth
the overhead of a runtime config option, since most people are too dumb to
know what they are doing, but it can be useful in some limited situations.
An argument against this is that any moron should be able to figure out to
delete the two lines; the ifdef + comment are extra documentation in a way
though...

In any case, either people go for this and it is added or PR#549 is closed
saying that we can find no way to justify support for such a thing at the
current time.

Things like mod_auth_external are far better for the vast majority of
possible uses of this anyway.

Index: util_script.c
===================================================================
RCS file: /export/home/cvs/apachen/src/main/util_script.c,v
retrieving revision 1.82
diff -u -r1.82 util_script.c
--- util_script.c	1997/10/24 15:40:55	1.82
+++ util_script.c	1997/11/01 03:35:59
@@ -186,8 +186,15 @@
 	    table_set(e, "CONTENT_TYPE", hdrs[i].val);
 	else if (!strcasecmp(hdrs[i].key, "Content-length"))
 	    table_set(e, "CONTENT_LENGTH", hdrs[i].val);
+	/*
+	 * You really don't want to disable this check, since it leaves you
+	 * wide open to CGIs stealing passwords and people viewing them
+	 * in the environment with "ps -e".  But, if you must...
+	 */
+#ifndef PASS_AUTHORIZATION
 	else if (!strcasecmp(hdrs[i].key, "Authorization"))
 	    continue;
+#endif
 	else
 	    table_set(e, http2env(r->pool, hdrs[i].key), hdrs[i].val);
     }

Re: [PATCH] define to allow passing of Authorization header

[Martin Kraemer <Ma...@mch.sni.de>]

On Fri, Oct 31, 1997 at 08:45:28PM -0700, Marc Slemko wrote:
> +	/*
> +	 * You really don't want to disable this check, since it leaves you
> +	 * wide open to CGIs stealing passwords and people viewing them
> +	 * in the environment with "ps -e".  But, if you must...
> +	 */
> +#ifndef PASS_AUTHORIZATION
>  	else if (!strcasecmp(hdrs[i].key, "Authorization"))
>  	    continue;
> +#endif

If people _find_ this code location (and the comment which makes the
consequences clear), they could as well have commented the lines out.
So: +0.5    (positive because it closes a PR, not +1 because of the
possible consequences)

    Martin
-- 
| S I E M E N S |  <Ma...@mch.sni.de>  |      Siemens Nixdorf
| ------------- |   Voice: +49-89-636-46021     |  Informationssysteme AG
| N I X D O R F |   FAX:   +49-89-636-44994     |   81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request

Re: [PATCH] define to allow passing of Authorization header

[Dean Gaudet <dg...@arctic.org>]

+1 on this, but I'd also +1 it if you changed the define to
HUGE_SECURITY_HOLE_PASSING_AUTHORIZATION_TO_CGI and documented it that
way... 

Dean

On Fri, 31 Oct 1997, Marc Slemko wrote:

> Anyone agree with the below?  It simply adds an (undocumented) define to
> allow people to pass the Authorization header to scripts.
> 
> I'm not entirely convinced about this; I really don't think it is worth
> the overhead of a runtime config option, since most people are too dumb to
> know what they are doing, but it can be useful in some limited situations.
> An argument against this is that any moron should be able to figure out to
> delete the two lines; the ifdef + comment are extra documentation in a way
> though...
> 
> In any case, either people go for this and it is added or PR#549 is closed
> saying that we can find no way to justify support for such a thing at the
> current time.
> 
> Things like mod_auth_external are far better for the vast majority of
> possible uses of this anyway.
> 
> Index: util_script.c
> ===================================================================
> RCS file: /export/home/cvs/apachen/src/main/util_script.c,v
> retrieving revision 1.82
> diff -u -r1.82 util_script.c
> --- util_script.c	1997/10/24 15:40:55	1.82
> +++ util_script.c	1997/11/01 03:35:59
> @@ -186,8 +186,15 @@
>  	    table_set(e, "CONTENT_TYPE", hdrs[i].val);
>  	else if (!strcasecmp(hdrs[i].key, "Content-length"))
>  	    table_set(e, "CONTENT_LENGTH", hdrs[i].val);
> +	/*
> +	 * You really don't want to disable this check, since it leaves you
> +	 * wide open to CGIs stealing passwords and people viewing them
> +	 * in the environment with "ps -e".  But, if you must...
> +	 */
> +#ifndef PASS_AUTHORIZATION
>  	else if (!strcasecmp(hdrs[i].key, "Authorization"))
>  	    continue;
> +#endif
>  	else
>  	    table_set(e, http2env(r->pool, hdrs[i].key), hdrs[i].val);
>      }
> 
>