Re: custom authentication functions

On Thu, 28 Mar 1996, Mike Meyer wrote:
> This problem doesn't require a change in CGI. CGI is for more than
> Unix. Unix systems have to find another solution. Ignoring the problem
> is one of them.

Except that CGI is supposed to be server, language, and OS independant, 
yes? Thus, if I say "HTTP_AUTHORIZATION" goes in the environment for 
everything but UNIX, and in UNIX that data gets passed on file handle 12 
(or in shared memory or whatever), then it's going to be very difficult to 
write a CGI script that will work under multiple operating systems, 
especially those that don't refer to file handles with numbers.

> At least two used to. They've both since been fixed to not do that to
> avoid the security issues above.

Fixed? Gelded, perhaps?  ;-)

BTW, I think we're in violent agreement here. I would think the proper 
approach is to have a flag in the server (perhaps on a per-script basis) 
that would say whether to pass the authentication information in the 
environment. Another possibility is to write the authentication out to a 
temp file only readable by the http process, then pass the name of the 
file in the environment. Several more disk I/O's per hit, but it's at 
least as secure as http.  (If you can read the authentication file, you 
can read whatever the CGI script would have read anyway.)

  --Darren

Received on Friday, 29 March 1996 12:13:52 UTC