>Number: 549 >Category: mod_cgi >Synopsis: Missing HTTP_AUTHORIZATION in CGI environment >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: change-request >Submitter-Id: apache >Arrival-Date: Tue May 6 00:10:01 1997 >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2beta10 >Environment: Linux mnlpc 2.0.30 #21 Sat Apr 19 16:30:12 MET DST 1997 i586 >Description: The "original" CERN Web-Server sets an environment variable HTTP_AUTHORIZATION when calling a CGI Script to the authorization string supplied by the browser (e.g. "Basic gasdfFjhgfjhg"). This allowed me to implement my own authorization scheme: (1) use a nph-script. (2) if HTTP_AUTHORIZATION is not set, respond "HTTP/1.0 401 Authorization failed\r", "WWW-Authenticate: Basic w3tdp\r". This causes the browser to prompt for username and password and to supply the authorization string with the next request. (3) Via HTTP_AUTHORIZATION this gets to my cgi-script and I can decode the base64 coded string and match the password against my own application specific password database.
This is much easier to configure (and was supposed to be more portable) than using .htaccess files and htpasswd to modify some password file. I found, however, that apache does not supply this environment variable. I suppose it is not part of the CGI 1/1 definition. But as you can see, it is a very useful feature. >How-To-Repeat: Look at the environment of a CGI script. If you don't have access to a CERN-Server, I can make you an URL to test this available. >Fix: Pass the authentication-string in the CGI environment. I suppose I could create an apache patch myself. But if I want to distribute my CGI-based application, I can't ask people to patch their apache server as part of the installation process. >Audit-Trail: >Unformatted:
