Currently apache requires recompilation to allow a CGI script access to the authorization information. The maintainer must recompile with -DSECURITY_HOLE_PASS_AUTHORIZATION. There are security vulnerablilties associated with this patch:
These patches are for a system where there are no untrusted users but there may be unstrusted scripts. The patch allows the administrator to defer authentication to scripts on a per-directory basis. On systems with remote authoring, ie no untrusted users with shell access, but untrusted users able to insert scripts of their choosing into the resource tree. It would probably be prudent to disable Options
in .htaccess
files (AllowOverride None
).
This patch is not submitted to apache as it has not been tested. It is unlikely to be incorporated if it is submitted as it marginally increases the ease of introducing a security hole (editing httpd.conf or .htaccess instead of recompiling apache).
The principal change occurs in util_script:
- #ifndef SECURITY_HOLE_PASS_AUTHORIZATION - else if (!strcasecmp(hdrs[i].key, "Authorization") - || !strcasecmp(hdrs[i].key, "Proxy-Authorization")) { + else if (!(ap_allow_options(r) & OPT_PASSAUTH) && + (!strcasecmp(hdrs[i].key, "Authorization") + || !strcasecmp(hdrs[i].key, "Proxy-Authorization"))) { continue; } - #endif
shoule be more like
else if (!strcasecmp(hdrs[i].key, "Authorization") || !strcasecmp(hdrs[i].key, "Proxy-Authorization")) { continue; }
We'd need to defind OPT_PASSAUTH in http_core.h
#define OPT_INCNOEXEC 32 #define OPT_SYM_OWNER 64 #define OPT_MULTI 128 + #define OPT_PASSAUTH 256 #define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
and associate the two in http_core.c
else if (!strcasecmp(w, "execCGI")) { opt = OPT_EXECCGI; } + else if (!strcasecmp(w, "PassAuth")) { + opt = OPT_PASSAUTH; + } else if (!strcasecmp(w, "MultiViews")) { opt = OPT_MULTI; }
Now you may defer authentication to scripts in trusted directories by adding the PassAuth directive to the directory Options:
- Options ExecCGI + Options ExecCGI PassAuth