You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Guntram Blohm <gb...@www5.mercedes-benz.com> on 1997/09/11 10:30:02 UTC

general/1114: Apache does not pass Authorization header to CGI scripts

>Number:         1114
>Category:       general
>Synopsis:       Apache does not pass Authorization header to CGI scripts
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Thu Sep 11 01:30:01 1997
>Originator:     gbl@www5.mercedes-benz.com
>Organization:
apache
>Release:        1.2.4 and older
>Environment:
independent of OS/Compiler
>Description:
Lines 182/183 of util_script.c say

        else if (!strcasecmp (hdrs[i].key, "Authorization"))
            continue;

which prevents Authorization headers from being passed to CGI scripts,
to avoid password-stealing. I have an environment where 
1) authorization checking is very complex, and i can't use one of the available modules
2) the script needs to know which user is calling it.

In my case, i know that i'm the only one to write scripts for this server,
so i could afford to just comment the above two lines out.
>How-To-Repeat:

>Fix:
Introduce a new option into access.conf - say, Options PassAuth,
which is disabled per default, would enable passing Authorization
headers for a specific directory. This would not change the default behaviour,
but allow system managers to allow auth headers to be passed for certain
directories in which the scripts are considered to be non-malicious.
%0
>Audit-Trail:
>Unformatted: