[Web-SIG] Other kinds of environment variables

Phillip J. Eby pje at telecommunity.com
Fri Aug 27 06:11:49 CEST 2004

At 08:44 PM 8/26/04 -0700, Mark Nottingham wrote:
>Digest auth sucks much less, and also uses REMOTE_USER.

As I said, REMOTE_USER in a CGI environment leads to nasty local-system 
security holes: potentially a local user can just set 
REMOTE_USER=whoeverIwantToBe and invoke the application.

Maybe we should, however, have a configuration key for 
'wsgi.auth_available' that indicates the availability of the 
HTTP_AUTHORIZATION header.  Absence of 'wsgi.auth_available' would mean 
that the availability is unknown, while true or false would indicate 
definite availability or lack thereof.

More information about the Web-SIG mailing list