[Web-SIG] Other kinds of environment variables
Phillip J. Eby
pje at telecommunity.com
Fri Aug 27 06:11:49 CEST 2004
At 08:44 PM 8/26/04 -0700, Mark Nottingham wrote:
>Digest auth sucks much less, and also uses REMOTE_USER.
As I said, REMOTE_USER in a CGI environment leads to nasty local-system
security holes: potentially a local user can just set
REMOTE_USER=whoeverIwantToBe and invoke the application.
Maybe we should, however, have a configuration key for
'wsgi.auth_available' that indicates the availability of the
HTTP_AUTHORIZATION header. Absence of 'wsgi.auth_available' would mean
that the availability is unknown, while true or false would indicate
definite availability or lack thereof.
More information about the Web-SIG