130179 – [PATCH] www/apache22: Enable passing HTTP 'Authorization' headers as compile time option

Bug 130179 - [PATCH] www/apache22: Enable passing HTTP 'Authorization' headers as compile time option

Summary: [PATCH] www/apache22: Enable passing HTTP 'Authorization' headers as compile ...

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-apache (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-01-05 08:40 UTC by Chen-Yu Tsai
Modified:	2009-01-12 23:00 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
apache-2.2.11.patch (1.67 KB, patch) 2009-01-05 08:40 UTC, Chen-Yu Tsai	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chen-Yu Tsai 2009-01-05 08:40:01 UTC

By default Apache does not pass the HTTP 'Authorization' header to
other modules, handlers, CGI, etc.. However there is a compile time
macro 'SECURITY_HOLE_PASS_AUTHORIZATION' that enables apache to
include the content of the header in the environment. This patch
creates an option, when turned on, will define the mentioned macro.

Port maintainer (clement@FreeBSD.org) is cc'd.

Generated with FreeBSD Port Tools 0.77

Comment 1 Pav Lucistnik freebsd_committer

2009-01-06 12:38:39 UTC

Responsible Changed
From-To: freebsd-ports-bugs->apache

Assign to maintainer

Comment 2 Philip M. Gollucci freebsd_committer

2009-01-12 22:55:29 UTC

with HTTPD PMC hat:
   This is actually going to be removed and *possibly* replaced with a 
run-time option.

With that in mind, I don't think we should add this, as it actually is a 
security concern.

Comment 3 Philip M. Gollucci freebsd_committer

2009-01-12 22:56:48 UTC

State Changed
From-To: open->closed

closed