dgaudet 98/01/21 14:31:47
Modified: src CHANGES src/main util_script.c Log: Let people shoot themselves by passing Authorization to CGIs if they define SECURITY_HOLE_PASS_AUTHORIZATION. PR: 549 Submitted by: Marc Slemko Reviewed by: Dean Gaudet, Paul Sutton Revision Changes Path 1.584 +4 -0 apachen/src/CHANGES Index: CHANGES =================================================================== RCS file: /export/home/cvs/apachen/src/CHANGES,v retrieving revision 1.583 retrieving revision 1.584 diff -u -r1.583 -r1.584 --- CHANGES 1998/01/21 22:27:17 1.583 +++ CHANGES 1998/01/21 22:31:44 1.584 @@ -1,5 +1,9 @@ Changes with Apache 1.3b4 + *) If you define SECURITY_HOLE_PASS_AUTHORIZATION then the Authorization + header will be passed to CGIs. This is generally a security hole, so + it's not a default. [Marc Slemko] PR#549 + *) Fix Y2K problem with date printing in suexec log. [Paul Eggert <[EMAIL PROTECTED]>] PR#1343 1.92 +7 -0 apachen/src/main/util_script.c Index: util_script.c =================================================================== RCS file: /export/home/cvs/apachen/src/main/util_script.c,v retrieving revision 1.91 retrieving revision 1.92 diff -u -r1.91 -r1.92 --- util_script.c 1998/01/14 21:01:08 1.91 +++ util_script.c 1998/01/21 22:31:46 1.92 @@ -208,8 +208,15 @@ table_set(e, "CONTENT_TYPE", hdrs[i].val); else if (!strcasecmp(hdrs[i].key, "Content-length")) table_set(e, "CONTENT_LENGTH", hdrs[i].val); + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them + * in the environment with "ps -e". But, if you must... + */ +#ifndef SECURITY_HOLE_PASS_AUTHORIZATION else if (!strcasecmp(hdrs[i].key, "Authorization")) continue; +#endif else table_set(e, http2env(r->pool, hdrs[i].key), hdrs[i].val); }