>Number: 2308 >Category: mod_cgi >Synopsis: How do we protect our cgi script and get the REMOTE_USER >variable? >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu May 28 08:10:00 PDT 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.5 >Environment: AIX 1.4 >Description: We're using DMUserFile Authentication to protect our HTML pages. We need the REMOTE_USER variable in a CGI script, but we're failing to get it. We've read that the script must be protected also, so we tried putting our perl script in a directory under our previous protected directory (like /web/htdocs/protected/cgi-bin), and put the directive "ScriptAlias /cgi-bin/ /web/htdocs/protected/cgi-bin/" in the srm.conf file. This way the the script is read as an html page. We also put our script under the cgi-bin directory (/web/cgi-bin/auth) and copy the .htaccess file there. But this way the protection is simply ignored. The cgi is executed and doesn't return the REMOTE_USER variable. >How-To-Repeat:
>Fix: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
