dgaudet 98/01/21 14:31:47
Modified: src CHANGES
src/main util_script.c
Log:
Let people shoot themselves by passing Authorization to CGIs if they
define SECURITY_HOLE_PASS_AUTHORIZATION.
PR: 549
Submitted by: Marc Slemko
Reviewed by: Dean Gaudet, Paul Sutton
Revision Changes Path
1.584 +4 -0 apachen/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /export/home/cvs/apachen/src/CHANGES,v
retrieving revision 1.583
retrieving revision 1.584
diff -u -r1.583 -r1.584
--- CHANGES 1998/01/21 22:27:17 1.583
+++ CHANGES 1998/01/21 22:31:44 1.584
@@ -1,5 +1,9 @@
Changes with Apache 1.3b4
+ *) If you define SECURITY_HOLE_PASS_AUTHORIZATION then the Authorization
+ header will be passed to CGIs. This is generally a security hole, so
+ it's not a default. [Marc Slemko] PR#549
+
*) Fix Y2K problem with date printing in suexec log.
[Paul Eggert <[EMAIL PROTECTED]>] PR#1343
1.92 +7 -0 apachen/src/main/util_script.c
Index: util_script.c
===================================================================
RCS file: /export/home/cvs/apachen/src/main/util_script.c,v
retrieving revision 1.91
retrieving revision 1.92
diff -u -r1.91 -r1.92
--- util_script.c 1998/01/14 21:01:08 1.91
+++ util_script.c 1998/01/21 22:31:46 1.92
@@ -208,8 +208,15 @@
table_set(e, "CONTENT_TYPE", hdrs[i].val);
else if (!strcasecmp(hdrs[i].key, "Content-length"))
table_set(e, "CONTENT_LENGTH", hdrs[i].val);
+ /*
+ * You really don't want to disable this check, since it leaves you
+ * wide open to CGIs stealing passwords and people viewing them
+ * in the environment with "ps -e". But, if you must...
+ */
+#ifndef SECURITY_HOLE_PASS_AUTHORIZATION
else if (!strcasecmp(hdrs[i].key, "Authorization"))
continue;
+#endif
else
table_set(e, http2env(r->pool, hdrs[i].key), hdrs[i].val);
}
