search

Copterfly / modwsgi

Automatically exported from code.google.com/p/modwsgi
0 stars 0 forks source link

Allow WSGIPassAuthorization in htaccess when AuthConfig allowed. #51

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
The intent of WSGIPassAuthorization can be bypassed when FileInfo is
allowed for .htaccess and mod_rewrite is available.

   RewriteEngine on
   RewriteBase /
   RewriteCond %{HTTP:Authorization}  ^(.*)
   RewriteRule ^(.*)$ $1 [e=HTTP_AUTHORIZATION:%1]

There isn't really anything that can be done about this. Even if mod_wsgi
always cleared HTTP_AUTHORIZATION variable, user could pass it through
variable of different name.

Given that this sort of issue exists, not allowing WSGIPassAuthorization
when AuthConfig is set seems to be less of an issue.

Original issue reported on code.google.com by Graham.Dumpleton@gmail.com on 15 Jan 2008 at 4:43

GoogleCodeExporter commented 8 years ago 
In general, any directive that can set an HTTP header based on the value of 
another
HTTP header can be used to subvert this. In addition to mod_rewrite, 
mod_headers can
also be used:

    Header set AUTHORIZATION-HACK %{AUTHORIZATION}e

mod_rewrite and mod_headers requiure the "FileInfo" override. FileInfo has to be
considered instead of, or in addition to, AuthConfig. 

The motivation for allowing WSGIPassAuthorization in .htaccess is explained 
here:
http://groups.google.com/group/modwsgi/msg/98b55b7b33143a1a:

"There are a lot of (Python) web applications that are implementing new
authentication protocols like OpenID, or emulating the Amazon.com Web
Services or Google Auth authentication mechanisms.  If you want these
applications to be deployable behind mod_wsgi in a shared web hosting
environment, then they need to be able to process the Authorization
header."

Original comment by brianlsm...@gmail.com on 15 Jan 2008 at 7:42

GoogleCodeExporter commented 8 years ago 
Change committed in revision 790 of trunk, but allowed when FileInfo override 
is used instead of AuthConfig.

Original comment by Graham.Dumpleton@gmail.com on 17 Jan 2008 at 9:17

GoogleCodeExporter commented 8 years ago 
Version 2.0 of mod_wsgi now released with this change.

Original comment by Graham.Dumpleton@gmail.com on 20 Mar 2008 at 4:51