Re: Re: Re: A way to get the User in a variable from htpasswd?

Obviously every CGI program should 'use CGI', but why is it better to get the remote user out of the CGI query?

Unless it's because of tainting... I know that %ENV is considered tainted until/unless you delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; Is the remote_user() that you get out of CGI automatically untainted?

Comment on Re: Re: Re: A way to get the User in a variable from htpasswd? Download Code

Replies are listed 'Best First'.
(tye)Re: A way to get the User in a variable from htpasswd? by tye (Sage) on May 11, 2001 at 02:05 UTC
No, it isn't because of tainting because fairly recent CGI.pm defines: `sub remote_user { return $ENV{'REMOTE_USER'}; }` [download] I advocate using CGI.pm's remote_user() because if, for example, a "broken" web server becomes popular that puts this information into $ENV{AUTHEN_USER} and not $ENV{REMOTE_USER}, then CGI.pm is likely to get updated to take this into consideration and you won't have to fix all of the places you used $ENV{REMOTE_USER} directly (nor waste time discovering the bug in your new server), etc. - tye (but my friends call me "Tye")	[reply] [d/l]

Replies are listed 'Best First'.

(tye)Re: A way to get the User in a variable from htpasswd?
by tye (Sage) on May 11, 2001 at 02:05 UTC

No, it isn't because of tainting because fairly recent CGI.pm defines:

sub remote_user {
    return $ENV{'REMOTE_USER'};
}
[download]

I advocate using CGI.pm's remote_user() because if, for example, a "broken" web server becomes popular that puts this information into $ENV{AUTHEN_USER} and not $ENV{REMOTE_USER}, then CGI.pm is likely to get updated to take this into consideration and you won't have to fix all of the places you used $ENV{REMOTE_USER} directly (nor waste time discovering the bug in your new server), etc.

tye

[reply]
[d/l]