[EMAIL PROTECTED] writes: > Synopsis: .htaccess can be bypassed with cgi scripts which use > PATH_TRANSLATED info (Re: PR1418) > > State-Changed-From-To: open-closed > State-Changed-By: marc > State-Changed-When: Fri Aug 14 18:30:04 PDT 1998 > State-Changed-Why: > No, the web server can't do the authorization because the > path info doesn't necessarily have anything to do with a > filesystem path; it _can_ be used that way, but it is very > often used in other ways. But the CGI script can't either. There should be at least some sort of "hint", if the PATH_INFO or the PATH_TRANSLATED will be used by the CGI script. In the former case apache should do authorization, but in the latter it shouldn't. It is debatable how this can be done, though.
> Any CGI can do the same thing; if the files are readable, > the CGI would read them. Would you blame Apache for a CGI > that just printed out the contents of every file on the > filesystem that were readable to the user. But the CGI doesn't know if the files are protected. With the actual solution I would need to have a custom CGI script for each protected directory. Suppose directory /A and /B from the same user but protected with different passwords. If I install the CGI script in A I could still access files in /B with the password from /A (/A/script/B/file). Same thing for the other case.
