On 5/16/06, Cliff Ford <[EMAIL PROTECTED]> wrote:
So I still wonder if anyone who is ising the REMOTE_USER environment
variable is aware of a problem and has a solution.
Environment-related variables should not be "hackable" from restricted
code. Please file a report in de Zope Collector:
htt
I have done some more testing, and despite being told that
request.environ['REMOTE_USER'] is not hackable I have hacked it and can
use the hack to get at otherwise forbidden content. For testing I have
set REMOTE_USER in the zope.conf cgi-environment variable, so I can
quickly change from being
Hmmm, it was request.environ['REMOTE_USER'] that I found a way to hack.
However, your comment has caused me to realise that when not logged in,
Apache is not setting the REMOTE_USER environment variable, so a script
can set it (in environ). So if I get the Apache boss to set REMOTE_USER
to None