perlquestion
spacey
Hello,
Hopefully this is a simple yes/ no question but time will tell :)<p>
If you have an apache website running a simple .cgi script<br>
And protecting this script a standard .htaccess file.<p>
Is it safe to trust $ENV{'REMOTE_USER'}; in a script to inject the usename for later processing.<br>
<p>
For example:<br>
Can a user once logged into the .htaccess area change the $ENV{'REMOTE_USER'}; variable to another name.<br>
<br>
Thus making it not safe to presume $ENV{'REMOTE_USER'}; is still the correct user?<br>
<br>
I hope to use $ENV{'REMOTE_USER'}; to base what a user can/cannot view on the site. Having written the code I’m now unsure if I have opened up a whole new security problem.<br>
<br>
Your advice and suggestions would be much appreciated.<br>
Regards,<br>
Gareth