>Number: 3954 >Category: mod_auth-any >Synopsis: POST needs no Auth / ignores REMOTE_USER >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue Feb 23 15:40:03 PST 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.6-1.3.4 >Environment: Linux 2.0.34 / 2.0.36 gcc 2.7.2 heavy patched www-sql >Description: Sorry, if I am too stupid, but if I POST to a file with action-handler in a .htacces-protected Directory, no user-auth is performed, the REMOTE_USER env-var isn't set and the logfile shows no remote user! (at home I tried with unpatched apache 1.2.6 and 1.3.4, same results)
Regards, Malte >How-To-Repeat: http://www.ddd.de/auth-test/ >Fix: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
