Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number

ENV{'REMOTE_USER'} is it safe?

by spacey (Scribe)
on Sep 28, 2003 at 16:54 UTC ( #294767=perlquestion: print w/replies, xml ) Need Help??

spacey has asked for the wisdom of the Perl Monks concerning the following question:

Hello, Hopefully this is a simple yes/ no question but time will tell :)

If you have an apache website running a simple .cgi script
And protecting this script a standard .htaccess file.

Is it safe to trust $ENV{'REMOTE_USER'}; in a script to inject the usename for later processing.

For example:
Can a user once logged into the .htaccess area change the $ENV{'REMOTE_USER'}; variable to another name.

Thus making it not safe to presume $ENV{'REMOTE_USER'}; is still the correct user?

I hope to use $ENV{'REMOTE_USER'}; to base what a user can/cannot view on the site. Having written the code Iím now unsure if I have opened up a whole new security problem.

Your advice and suggestions would be much appreciated.

Replies are listed 'Best First'.
Re: ENV{'REMOTE_USER'} is it safe?
by MarkM (Curate) on Sep 28, 2003 at 18:57 UTC
    REMOTE_USER should be safe to use under Apache and most other HTTP servers. The variables that are not safe to use, are the ones that are provided directly from the client. These usually begin with HTTP_*.
      Thanks for the clarification
      I was concerned that a user who may have already authenticated would be able to push a modified REMOTE_USER variable.
        In theory they can. Because HTTP is stateless, the username and password have to be supplied again for each request. Users don't see this because the browser handles it for them. In practice they can't, because most (all?) browsers don't give the user an easy way to change their username and password once they have successfully logged in to your site, but some might, and if they are using their own program or talking raw HTTP at your server or something similar then all bets are off.

        Even so, if the user *can* send some other username/password, that username/password would still have to be accepted by your web server before they could get at any content so it's probably not something you need to worry about.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://294767]
Approved by gmax
Front-paged by grinder
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (6)
As of 2021-05-14 16:22 GMT
Find Nodes?
    Voting Booth?
    Perl 7 will be out ...

    Results (150 votes). Check out past polls.