Re: Re: A way to get the User in a variable from htpasswd?

.htaccess below......running on redhat 6.2 . apache.

AuthUserFile .htpasswd 
AuthGroupFile /dev/null
AuthName "Site"
AuthType Basic

#<Limit GET POST>
<Limit GET>

using in script
[download]

#!/usr/bin/perl -Tw

$| = 1;

use CGI qw(param);
use strict;

my $file = param("file");
my @file_name = split(/\\/,$file);
my $file_name = pop(@file_name);
my $max_file_size = 2000000;
my $base_dir = "/home/ducc/";
my $out_file = $base_dir . $file_name;
my $log_file = $base_dir . "upload.log";
my ($total_bytes_read, $ip_log, $time_log);
my $username = $ENV{REMOTE_USER};

print "Content-type: text/html\n\n";
open (OUT, ">$out_file") || die "Can't open: $!";
open (LOG, ">>$log_file");
  while (my $bytes_read = read($file, my $buffer, 1024)){
    $total_bytes_read += $bytes_read;
    $ip_log = $ENV{'REMOTE_ADDR'};
    $time_log = scalar localtime;
      if ($bytes_read > $max_file_size){
        print "ERROR: The file you tried to upload is will not be uplo
+aded<br>";
        print "Your file is: $bytes_read bytes<br>";
        print "The max file size you can upload is $max_file_size byte
+s<br>";
        close (OUT);
        unlink ($out_file);
        print LOG "ERROR: At $time_log $username tried to upload $out_
+file that was $bytes_read bytes from $ip_log\n";
        die "$time_log: $ip_log tried to upload a file > $max_file_siz
+e";
      }else{
        print OUT "$buffer";
        print LOG "At $time_log $username uploaded $out_file that was 
+$bytes_read bytes from $ip_log\n";
      }
  }
close (OUT) || die "Can't close: $!";
close (LOG);

print "$username has completed uploading $file_name: $total_bytes_read
+ bytes<br>";
print "Done...";
[download]

code above still needs a lot of security checking </code>

Comment on Re: Re: A way to get the User in a variable from htpasswd? Select or Download Code

Replies are listed 'Best First'.
Re: Re: Re: A way to get the User in a variable from htpasswd? by merlyn (Sage) on May 10, 2001 at 23:24 UTC
Don't use `<limit GET POST>`. Stop limiting the limits! I don't see all of your `.htaccess`. Do you have anything that actually requires authentication, like `require valid-user`? Are you sure your `.htaccess` is being read (make a syntax error and you should get error 500: that's the quickest test)? Are you sure the `.htaccess` file applies to the CGI area and not just the text files? -- Randal L. Schwartz, Perl hacker	[reply] [d/l]
Re: Re: Re: Re: A way to get the User in a variable from htpasswd? by electronicMacks (Beadle) on Jul 11, 2001 at 00:39 UTC
I was having a similar problem, and traced it to merlyn's #4 above. Turns out my apache was only set up to allow .htacces on certian directories, not including /cgi-bin/ once that was changed everything worked. Thanks Randal! :)	[reply]
Re: Re: Re: A way to get the User in a variable from htpasswd? by mpolo (Chaplain) on May 11, 2001 at 12:16 UTC
I think you want to add a line to your .htaccess, specifically `require valid-user` (or a list of which users you want to allow, `require user fred marcy judy`). I don't think the REMOTE_USER actually gets set if you don't have this.	[reply] [d/l] [select]
Re: Re: Re: Re: A way to get the User in a variable from htpasswd? by merlyn (Sage) on May 11, 2001 at 16:28 UTC
That was point #2 I made above. And point #1 still needs to be followed: remove the `<limit GET POST>` from the file! -- Randal L. Schwartz, Perl hacker	[reply] [d/l]
A reply falls below the community's threshold of quality. You may see it by logging in.