Hi, On 12/19/2007 9:35:16 AM +0100, Christian Seiler <[EMAIL PROTECTED]> wrote: > Hi, > > If you use 'PassHeader Authorization' in order to allow FastCGI scripts > to access the Authentication data, an environment variable > 'Authorization' containing the header will be created. But any script > that follows the CGI specification will expect a header 'Foo' to be > added as an environment variable 'HTTP_FOO'. So instead of creating > 'Authorization', mod_fcgid should create 'HTTP_AUTHORIZATION'. > > Here's the patch for the problem: > > http://www.christian-seiler.de/temp/mod_fcgid-patches/pass-headers.patch
Thank you for your contribution, but IMHO this patch is not necessary because the problem comes from Apache not allowing the Authorization header to be added as an environment variable (Header => HTTP_HEADER transformation). See the httpd-2.2.4 source,server/util_script.c:173. The workaround is allowing Authorization to be passed in CGI as well as PHP and any other script language is to compile apache with the -DSECURITY_HOLE_PASS_AUTHORIZATION compile flag (CFLAGS). Note that nowadays, it is very common for that security stuff to be processed by CGIs and FastCGI scripts instead of the HTTP server itself, thus it is not a "security hole" anymore (see how lighttpd does). OTOH, PHP as a CGI or FastCGI executable does exactly what it is supposed to do: reading environment variables, not headers (e.g. PHP parses the HTTP_ACCEPT_LANGUAGE env variable, not the "Accept-Language" header.). The PassHeader directive doesn't have to exist because translating _all_ headers to HTTP_ vars belongs to web server, not the cgi or fastcgi module. > Oh, and just a general question: Why aren't all mod_fcgid configuration > directives prefixed with e.g. Fcgid? If I see configuration directives > like 'MaxProccessCount' or 'SocketPath' I don't automatically associate > them with mod_fcgid - if they were named 'FcgidMaxProcessCount', > 'FcgidSocketPath' or something similar, it would be clear from the start > to which module they belong. This is a very good suggestion (and already mentioned), but nobody has done a patch yet. Maybe for the next version ? Gabriel ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
