From apwww@hyperreal.org Mon Sep 29 04:01:33 1997 Received: (from apwww@localhost) by hyperreal.org (8.8.5/8.8.5) id EAA10883; Mon, 29 Sep 1997 04:01:33 -0700 (PDT) Message-Id: <199709291101.EAA10883@hyperreal.org> Date: Mon, 29 Sep 1997 04:01:33 -0700 (PDT) From: Jens Hamisch Reply-To: jens@agix.net To: apbugs@hyperreal.org Subject: Authorized user is not passed to CGI scripts X-Send-Pr-Version: 3.2 >Number: 1173 >Category: mod_access >Synopsis: Authorized user is not passed to CGI scripts >Confidential: no >Severity: critical >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Sep 29 04:10:01 1997 >Last-Modified: Thu Nov 13 07:34:06 PST 1997 >Originator: jens@agix.net >Organization: >Release: 1.2.1 >Environment: SunOS sol 5.5.1 Generic_103640-08 sun4m sparc SUNW,SPARCstation-10 gcc --version 2.7.2 >Description: A database frontend was set up through the Apache 1.2.1 webserver. This frontend connects a mSQL database in order to update it. User authorization is done using the mod_auth_msql module. The database frontend is setup as a frameset (of 2 frame) of which the right frame contains a menu and the left contains the FORMS pages, which allow updating data items. As I can see in the access log file, the HTTP server prompts for the user name an the password, authorizes the user and returns either the frameset as well as the right frame to that user. The CGI script, which is contained in the left frame is called without the authorized user environment variable (REMOTE USER) being set up accordingly. The log file shows the following gate.class.de - admin [29/Sep/1997:12:46:18 +0200] "GET /Admin/ HTTP/1.0" 200 644 gate.class.de - admin [29/Sep/1997:12:46:19 +0200] "GET /Admin/right.html HTTP/1.0" 200 1032 gate.class.de - - [29/Sep/1997:12:46:20 +0200] "GET /Gifs/syslog1.gif HTTP/1.0" 200 14677 gate.class.de - - [29/Sep/1997:12:46:20 +0200] "GET /cgi-bin/nph-count?width=5&link=/admin.html HTTP/1.0" 200 1759 gate.class.de - "" [29/Sep/1997:12:46:22 +0200] "GET /cgi-bin/Admin/main.pl HTTP/1.0" 200 1952 gate.class.de - - [29/Sep/1997:12:46:22 +0200] "GET /Headgrafs/01.gif HTTP/1.0" 404 169 As you can see in the 5th line, instaed of the user name, an empty string is shown for the CGI request. This problem was not present in Apache 1.1.1. It first occured when we updated to Apache 1.2.1. >How-To-Repeat: There's no site containing this bug which is public available. The database is mission-critical, so I'm not allowed to pas you a password. >Fix: N >Audit-Trail: State-Changed-From-To: open-feedback State-Changed-By: coar State-Changed-When: Mon Sep 29 05:12:01 PDT 1997 State-Changed-Why: I believe your problem is due to a misunderstanding. The CGI script is treated as a completely separate request, and since it's coming from /cgi-bin/ it isn't in the same authorisation realm as the rest of the information, and so isn't being passed any authorisation data because /cgi-bin/ doesn't require any. Try putting your CGI script into a directory under your /Admin/ location so it will require the same authorisation information, and I think you'll see the remote username become available. Remember to rename it to "nph-count.cgi" and refer to it by that name, and ensure that your config files include a "AddHandler cgi-script .cgi" line. Or you can add another ScriptAlias directory under the /Admin/ location, put the script there, and not have to rename it. Please let me know how this affects your problem. State-Changed-From-To: feedback-closed State-Changed-By: coar State-Changed-When: Thu Nov 13 07:34:06 PST 1997 State-Changed-Why: No response from submitter, assuming closed. >Unformatted: