>Number: 1972 >Category: mod_cgi >Synopsis: (RFE) There is no way to pass HTTP Auth information to a CGI >script >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: change-request >Submitter-Id: apache >Arrival-Date: Fri Mar 20 12:10:00 PST 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.5 >Environment: any >Description: In certain cases, it is useful to pass the HTTP auth information to a CGI. This would allow the CGI to perform authentication without blindly trusting its environment. This is highly desirable for setuid CGI scripts which could be execced in a doctored environment from a compromised httpd account. >How-To-Repeat:
>Fix: new directive: <Directory /home/httpd/cgi-put/put.perl> PassAuthPassword 5 # passes the HTTP Auth password (if present) in on descriptor 5 </Directory> I'm not sure if there's a better choice than Directory, but you get the idea. %0 >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
