dgaudet     98/01/21 14:31:47

  Modified:    src      CHANGES
               src/main util_script.c
  Log:
  Let people shoot themselves by passing Authorization to CGIs if they
  define SECURITY_HOLE_PASS_AUTHORIZATION.
  
  PR:           549
  Submitted by: Marc Slemko
  Reviewed by:  Dean Gaudet, Paul Sutton
  
  Revision  Changes    Path
  1.584     +4 -0      apachen/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apachen/src/CHANGES,v
  retrieving revision 1.583
  retrieving revision 1.584
  diff -u -r1.583 -r1.584
  --- CHANGES   1998/01/21 22:27:17     1.583
  +++ CHANGES   1998/01/21 22:31:44     1.584
  @@ -1,5 +1,9 @@
   Changes with Apache 1.3b4
   
  +  *) If you define SECURITY_HOLE_PASS_AUTHORIZATION then the Authorization
  +     header will be passed to CGIs.  This is generally a security hole, so
  +     it's not a default.  [Marc Slemko] PR#549
  +
     *) Fix Y2K problem with date printing in suexec log.
        [Paul Eggert <[EMAIL PROTECTED]>] PR#1343
     
  
  
  
  1.92      +7 -0      apachen/src/main/util_script.c
  
  Index: util_script.c
  ===================================================================
  RCS file: /export/home/cvs/apachen/src/main/util_script.c,v
  retrieving revision 1.91
  retrieving revision 1.92
  diff -u -r1.91 -r1.92
  --- util_script.c     1998/01/14 21:01:08     1.91
  +++ util_script.c     1998/01/21 22:31:46     1.92
  @@ -208,8 +208,15 @@
            table_set(e, "CONTENT_TYPE", hdrs[i].val);
        else if (!strcasecmp(hdrs[i].key, "Content-length"))
            table_set(e, "CONTENT_LENGTH", hdrs[i].val);
  +     /*
  +      * You really don't want to disable this check, since it leaves you
  +      * wide open to CGIs stealing passwords and people viewing them
  +      * in the environment with "ps -e".  But, if you must...
  +      */
  +#ifndef SECURITY_HOLE_PASS_AUTHORIZATION
        else if (!strcasecmp(hdrs[i].key, "Authorization"))
            continue;
  +#endif
        else
            table_set(e, http2env(r->pool, hdrs[i].key), hdrs[i].val);
       }
  
  
  

Reply via email to