Apache patch to defer auth to CGI scripts


Currently apache requires recompilation to allow a CGI script access to the authorization information. The maintainer must recompile with -DSECURITY_HOLE_PASS_AUTHORIZATION. There are security vulnerablilties associated with this patch:

system users
All information is passed from the web server to the CGI script via environment variables. Users on the system may examine the environment of a spawned script and extract the authentication credentials for that were passed to the script.
script authors
Any script author may get the authentication credentials for a user in any realm on the server. This means you have to trust all script authors to be resoponsible with user credentials. If

These patches are for a system where there are no untrusted users but there may be unstrusted scripts. The patch allows the administrator to defer authentication to scripts on a per-directory basis. On systems with remote authoring, ie no untrusted users with shell access, but untrusted users able to insert scripts of their choosing into the resource tree. It would probably be prudent to disable Options in .htaccess files (AllowOverride None).


This patch is not submitted to apache as it has not been tested. It is unlikely to be incorporated if it is submitted as it marginally increases the ease of introducing a security hole (editing httpd.conf or .htaccess instead of recompiling apache).


The principal change occurs in util_script:

-  	else if (!strcasecmp(hdrs[i].key, "Authorization") 
-  		 || !strcasecmp(hdrs[i].key, "Proxy-Authorization")) {
+  	else if (!(ap_allow_options(r) & OPT_PASSAUTH) && 
+  	         (!strcasecmp(hdrs[i].key, "Authorization") 
+ 		  || !strcasecmp(hdrs[i].key, "Proxy-Authorization"))) {
-  #endif

shoule be more like

	else if (!strcasecmp(hdrs[i].key, "Authorization") 
		 || !strcasecmp(hdrs[i].key, "Proxy-Authorization")) {

We'd need to defind OPT_PASSAUTH in http_core.h

  #define OPT_INCNOEXEC 32
  #define OPT_SYM_OWNER 64
  #define OPT_MULTI 128
+ #define OPT_PASSAUTH 256

and associate the two in http_core.c

  	else if (!strcasecmp(w, "execCGI")) {
  	    opt = OPT_EXECCGI;
+ 	else if (!strcasecmp(w, "PassAuth")) {
+ 	    opt = OPT_PASSAUTH;
+ 	}
  	else if (!strcasecmp(w, "MultiViews")) {
  	    opt = OPT_MULTI;

Now you may defer authentication to scripts in trusted directories by adding the PassAuth directive to the directory Options:

-    Options ExecCGI
+    Options ExecCGI PassAuth