Synopsis: Apache does not pass Authorization header to CGI scripts State-Changed-From-To: open-closed State-Changed-By: marc State-Changed-When: Thu Sep 11 06:40:04 PDT 1997 State-Changed-Why: This is already asked for in PR#549. http://bugs.apache.org/index/full/549
It is not just an issue of trusting the script, but also trusting that no one else can see the environment with ps -e. That isn't always a smart choice. There is a mod_auth_external available somewhere that can run arbitrary programs to do authentication. So what it comes down to is that an option may be added at some point to allow the user to pick if they want it passed, but there are significant risks to it.
