authentication for xmlrpc via cgi

David M. Cooke cookedm+news at physics.mcmaster.ca
Thu Sep 22 23:54:02 CEST 2005


qhfgva at gmail.com writes:

> I'm using python 2.2 (hopefully we'll be upgrading our system to 2.3
> soon) and I'm trying to prototype some xml-rpc via cgi functionality.
> If I override the Transport class on the xmlrpclib client and add some
> random header like "Junk", then when I have my xmlrpc server log it's
> environment when running, I see the HTTP_JUNK header.  If I do this
> with AUTHORIZATION, the header is not found.
>
> Does this ring a bell for anyone?  Am I misunderstanding how to use
> this header?  I'm guessing that Apache might be eating this header, but
> I don't know why.

By default, Apache does eat that. It's a compile time default; the
Apache developers think it's a security hole. Here's a note about it:

http://httpd.apache.org/dev/apidoc/apidoc_SECURITY_HOLE_PASS_AUTHORIZATION.html

>From what I can see, this is still true in Apache 2.

-- 
|>|\/|<
/--------------------------------------------------------------------------\
|David M. Cooke
|cookedm(at)physics(dot)mcmaster(dot)ca



More information about the Python-list mailing list