"Maciej (Matchek) BliziĆski" <[email protected]> writes: > 2013/8/12 Peter FELECAN <[email protected]>: >> Returning to the REMOTE_USER not being defined, after a cursory look at >> other people having issues with that it seems that even if the >> environment variable is not provided, there is a possibility to obtain >> the remote user from the "authorization" header, see >> http://stackoverflow.com/questions/8495229/remote-user-not-being-set-by-apache2 >> but maybe this is also modified by the proxy. > > Normally the authorization header is stripped, unless you configure > Apache to specifically include it. The security concern is that you > expose the auth password to the script while you don't need to.
Indeed. How about a rewrite? What are the other environment variables accessible to the script? -- Peter _______________________________________________ maintainers mailing list [email protected] https://lists.opencsw.org/mailman/listinfo/maintainers .:: This mailing list's archive is public. ::.
