Erlang/OTP Forums
Author Message

<  Yaws mailing list  ~  yaws_cgi.erl patch for env variables - AUTH_USER etc
Guest
Posted: Wed Feb 07, 2007 3:08 am Reply with quote
Guest
> > The purpose is to add various HTTP authentication related variables to
> > the cgi environment, in line (I think) with how some other webservers do
it.
>
>
> Thanks - patch looks good and is now applied in CVS
>
Great..
Just a note re security...
While some apps may depend on being able to get the clear text AUTH_PASSWORD
and/or HTTP_AUTHORIZATION info.. it'll probably concern some people that
there's no way to stop this going through to the cgi script.

RFC 3875 (CGI 1.1) indicates that a server 'should not' pass on header
fields that may carry sensitive information
to the script 'unless explicitly configured to do so'.

I don't think it's practical to know what fields are considered 'sensitive'
in every environment - so I think rather than try to decide this up front -
it would be better to pass all through - but allow a custom 'suppression
list' in the conf file.
(and perhaps provide a sensible example in the default yaws.conf)
e.g something like:
cgi_env_suppress = ["HTTP_AUTHORIZATION","AUTH_PASSWORD"]

Alternatively - it may be better to change the yaws_cgi:cgi_env/5 function
so that all vars including HTTP Auth related ones can be overridden by
ExtraEnv - and allow the ExtraEnv data to be supplied from the .conf.
e.g cgi_env_override = ??
ie someone might prefer to have the AUTH_PASSWORD variable exist in the
cgi's environment but be set to an empty string or a particular value.

Julian Noble



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Erlyaws-list mailing list
Erlyaws-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/erlyaws-list
Post recived from mailinglist
Back to top

Display posts from previous:  

All times are GMT
View next topic
View previous topic
Page 1 of 1
Erlang Forum - Trap Exit Forum Index  ~  Yaws mailing list
This forum is locked: you cannot post, reply to, or edit topics.

Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
Hosted by Erlang Solutions    |    Powered by phpBB and NoseBleed 1.14