[Web-SIG] Other kinds of environment variables

Phillip J. Eby pje at telecommunity.com
Mon Aug 30 05:16:00 CEST 2004


At 12:11 AM 8/27/04 -0400, Phillip J. Eby wrote:
>At 08:44 PM 8/26/04 -0700, Mark Nottingham wrote:
>>Digest auth sucks much less, and also uses REMOTE_USER.
>
>As I said, REMOTE_USER in a CGI environment leads to nasty local-system 
>security holes: potentially a local user can just set 
>REMOTE_USER=whoeverIwantToBe and invoke the application.
>
>Maybe we should, however, have a configuration key for 
>'wsgi.auth_available' that indicates the availability of the 
>HTTP_AUTHORIZATION header.  Absence of 'wsgi.auth_available' would mean 
>that the availability is unknown, while true or false would indicate 
>definite availability or lack thereof.

Nobody's responded to this; does that mean you all think it's a brilliant 
idea?  ;)



More information about the Web-SIG mailing list