Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Can the REMOTE_USER env variable be faked?

  • 19-03-2006 10:17pm
    #1
    daymobrew
    Registered Users, Registered Users 2 Posts: 6,571 ✭✭✭


    I am using perl but the same issue applies to PHP or any other server-side code.

    A few of my perl CGI scripts have 'admin' functionality that is only enabled when accessed from within a directory protected with Basic authentication ('require valid-user' in my .htaccess file). Keeping the normal and admin code in the same file makes maintenance easier.
    My code is something like: 
    do_admin_stuff() if ( $ENV{'REMOTE_USER'} eq 'the_user' );
# or
do_admin_stuff() if ( remote_user() eq 'the_user ); # CGI.pm function.
    Can the REMOTE_USER environment variable be set by the client in such a way as to bypass the server-side authentication? I'm thinking that it can't be as the server sets the environment variable, but since the page's referrer can be faked I figured I'd ask to be sure.


Comments

  • #2
    rsynnott
    Registered Users, Registered Users 2 Posts: 4,003 ✭✭✭rsynnott


    This is the remote_user coming from apache? Nope, it should be safe enough.


  • #3
    daymobrew
    Registered Users, Registered Users 2 Posts: 6,571 ✭✭✭daymobrew


    REMOTE_USER is the one set by Apache when the script is subject to authentication.


Advertisement