DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11602>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11602 REMOTE_USER variable lost in conjunction with Script directive Summary: REMOTE_USER variable lost in conjunction with Script directive Product: Apache httpd-2.0 Version: 2.0.39 Platform: Other OS/Version: Linux Status: NEW Severity: Minor Priority: Other Component: mod_actions AssignedTo: bugs@httpd.apache.org ReportedBy: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] My httpd.conf contains the following section: <Directory "/usr/local/apache/htdocs/skatersupport"> AuthType Basic AuthName "Skater Support File Depository" AuthUserFile /home/jen/passwords Script PUT /cgi-bin/Put <Limit PUT> require valid-user </Limit> </Directory> As a belt-and-suspenders measure, the PUT method handler script checks to make sure that the REMOTE_USER environment variable has been populated by the server. This is to protect against the possibility of misconfiguration; if someone managed somehow to invoke the PUT handler script without having authenticated themselves, the script would abort. This worked with Apache 1.3.12, 1.3.19, and 1.3.22. However, beginning with at least Apache 2.0.36, the REMOTE_USER variable is not set when the handler script is invoked, regardless of whether the request included valid credentials. The AuthUserFile is correctly checked, and the script is only run when the credentials are valid, but the script itself cannot determine the identity of the remote user. The problem persists in 2.0.39. To test this, I first instrumented the script so that it would dump out its environment to the file /tmp/Put.err. I then used a Perl utility to send a PUT request to the server: PUT -C mjd:badpassword http://www.plover.com/skatersupport/TESTFILE < /dev/null The Put.err file did not appear, and PUT reported that the server's response was a 401 Authorization Required. Then I tried sending the same request with the correct password: PUT -C mjd:goodpassword http://www.plover.com/skatersupport/TESTFILE < /dev/null Again, PUT reported a 401 error, but this time the 401 was artificially generated by the PUT handler script. The Put.err file did appear, and contained a listing of the environment: CONTENT_LENGTH: 0 CONTENT_TYPE: text/plain DOCUMENT_ROOT: /usr/local/apache/htdocs ... REMOTE_PORT: 4106 REQUEST_METHOD: PUT ... SERVER_PROTOCOL: HTTP/1.1 SERVER_SIGNATURE: <address>Apache/2.0.39 Server at www.plover.com Port 80</address> SERVER_SOFTWARE: Apache/2.0.39 (Unix) As you can see, the REMOTE_USER variable is missing. The Put.err file ended with REMOTE_USER missing; generating authorization failure response. indicating that the 401 response was from the handler script and not from the httpd. This may be the same bug as #10678. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
