[Web-SIG] Other kinds of environment variables
Phillip J. Eby
pje at telecommunity.com
Mon Aug 30 05:16:00 CEST 2004
At 12:11 AM 8/27/04 -0400, Phillip J. Eby wrote:
>At 08:44 PM 8/26/04 -0700, Mark Nottingham wrote:
>>Digest auth sucks much less, and also uses REMOTE_USER.
>
>As I said, REMOTE_USER in a CGI environment leads to nasty local-system
>security holes: potentially a local user can just set
>REMOTE_USER=whoeverIwantToBe and invoke the application.
>
>Maybe we should, however, have a configuration key for
>'wsgi.auth_available' that indicates the availability of the
>HTTP_AUTHORIZATION header. Absence of 'wsgi.auth_available' would mean
>that the availability is unknown, while true or false would indicate
>definite availability or lack thereof.
Nobody's responded to this; does that mean you all think it's a brilliant
idea? ;)
More information about the Web-SIG
mailing list