Re: custom authentication functions

> > This problem doesn't require a change in CGI. CGI is for more than
> > Unix. Unix systems have to find another solution. Ignoring the problem
> > is one of them.
> 
> Except that CGI is supposed to be server, language, and OS independant,
> yes?

That's the goal. It's clearly not realizable in general. Some
languages/platforms/OSes have to have exceptions to deal with things
that don't exist or they can't do or - in this case - are a security
risk.

> Thus, if I say "HTTP_AUTHORIZATION" goes in the environment for
> everything but UNIX, and in UNIX that data gets passed on file handle 12
> (or in shared memory or whatever), then it's going to be very difficult to
> write a CGI script that will work under multiple operating systems,
> especially those that don't refer to file handles with numbers.

Nope. I've got a web server running on a platform that has
case-insensitive environment variable names. I can write CGI scripts
that grab "http_referer" and the like, and they'll work perfectly on
that playtform.  That's a good way to write non-portable scripts, and
the platform-dependent part of the spec recommends that you not do
that.  Similarly, PATH_TRANSLATED isn't always available (I initially
didn't provide it because I couldn't do it reliably; my users wanted
it even after I explained the unreliability issue, so the latest beta
provides it); you can write scripts that depend on PATH_TRANSLATED and
they'll break on some servers. Or you can write scripts that check for
it and deal with it not being set in some sane way.

Same thing here. I dislike the suggestion you've made, because it's
very unix centric. Your idea of a file that's a second argument to the
script with that CGI variable in it is a good one. Possibly allowing
all CGI variables to come in that way would be usefull. A portable
script then checks for that extra argument and if it exists loads it
into an associative array to be checked for variables.

Yes, it's a bit of extra work to write portable code. That's always
been true, and I don't think we're going to change it.

Right now, the problem is that all servers do this DIFFERENTLY; there
is either no way for a CGI script to get that information, or it's
somewhere that's very server dependent. One solution that would work
for as many servers as possible would be a better idea. But it belongs
in CGI/1.2, not 1.1.

> BTW, I think we're in violent agreement here. I would think the proper
> approach is to have a flag in the server (perhaps on a per-script basis)
> that would say whether to pass the authentication information in the
> environment.

This doesn't solve the problem for people who want access to the
authorization data but are on systems with hostile users and a stock
ps. Other solutions do.

	<mike

Received on Friday, 29 March 1996 13:38:25 UTC