- From: Darren New <dnew@yuan.fv.com>
- Date: Fri, 29 Mar 1996 08:49:57 -0800 (PST)
- To: Mike Meyer <mwm@contessa.phone.net>
- Cc: www-talk@w3.org
On Thu, 28 Mar 1996, Mike Meyer wrote: > This problem doesn't require a change in CGI. CGI is for more than > Unix. Unix systems have to find another solution. Ignoring the problem > is one of them. Except that CGI is supposed to be server, language, and OS independant, yes? Thus, if I say "HTTP_AUTHORIZATION" goes in the environment for everything but UNIX, and in UNIX that data gets passed on file handle 12 (or in shared memory or whatever), then it's going to be very difficult to write a CGI script that will work under multiple operating systems, especially those that don't refer to file handles with numbers. > At least two used to. They've both since been fixed to not do that to > avoid the security issues above. Fixed? Gelded, perhaps? ;-) BTW, I think we're in violent agreement here. I would think the proper approach is to have a flag in the server (perhaps on a per-script basis) that would say whether to pass the authentication information in the environment. Another possibility is to write the authentication out to a temp file only readable by the http process, then pass the name of the file in the environment. Several more disk I/O's per hit, but it's at least as secure as http. (If you can read the authentication file, you can read whatever the CGI script would have read anyway.) --Darren
Received on Friday, 29 March 1996 12:13:52 UTC