Re: CGI and REMOTE_USER

robm@ncsa.uiuc.edu (Rob McCool)

Mail folder: WWW Talk Jan 94-present
Next message: Dave_Raggett: "Re: Looking for a list of special characters supported by HTML"
Previous message: Lou Montulli: "Re: CCCC @ NJIT CMC/CSCW"
In-reply-to: George Phillips: "Re: CGI and REMOTE_USER"
Reply: M. Strata Rose: "Re: CGI and REMOTE_USER"

Message-id: <9401202122.AA07829@void.ncsa.uiuc.edu>
From: robm@ncsa.uiuc.edu (Rob McCool)
Date: Thu, 20 Jan 1994 15:22:16 -0600
In-Reply-To: George Phillips <phillips@cs.ubc.ca>
       "Re: CGI and REMOTE_USER" (Jan 19, 11:49am)
X-Mailer: Mail User's Shell (7.2.5 10/14/92)
To: George Phillips <phillips@cs.ubc.ca>
Subject: Re: CGI and REMOTE_USER
Cc: www-talk@www0.cern.ch
Content-Length: 929

/*
 * Re: CGI and REMOTE_USER
 *    written on Jan 19, 11:49am.
 *
 * I only object to the name.  It should really be something like
 * REMOTE_IDENT.  We don't want to promote the fallacies that
 * RFC931 gives you the username and, especially, that the information
 * it gives you is useful for anything but audit information.

Hmmm, a good point. It is trivial to forge this information and LOGNAME
implies that the variable is really the remote username.

Okay, so how about REMOTE_IDENT? Anyone object to that?

 * Along those lines, it should probably be base64 encoded since
 * it could be binary.
 */

Why? I see nothing in the RFC which implies that it could be binary, in
fact, the reply is specified to be terminated by a CR/LF pair. Is there
something I'm not reading correctly? Similarly, rfc931.c uses fgets to read
the server's reply which would probably be munged horribly by binary output
from the server.

--Rob