authentication for xmlrpc via cgi
David M. Cooke
cookedm+news at physics.mcmaster.ca
Thu Sep 22 17:54:02 EDT 2005
qhfgva at gmail.com writes:
> I'm using python 2.2 (hopefully we'll be upgrading our system to 2.3
> soon) and I'm trying to prototype some xml-rpc via cgi functionality.
> If I override the Transport class on the xmlrpclib client and add some
> random header like "Junk", then when I have my xmlrpc server log it's
> environment when running, I see the HTTP_JUNK header. If I do this
> with AUTHORIZATION, the header is not found.
>
> Does this ring a bell for anyone? Am I misunderstanding how to use
> this header? I'm guessing that Apache might be eating this header, but
> I don't know why.
By default, Apache does eat that. It's a compile time default; the
Apache developers think it's a security hole. Here's a note about it:
http://httpd.apache.org/dev/apidoc/apidoc_SECURITY_HOLE_PASS_AUTHORIZATION.html
>From what I can see, this is still true in Apache 2.
--
|>|\/|<
/--------------------------------------------------------------------------\
|David M. Cooke
|cookedm(at)physics(dot)mcmaster(dot)ca
More information about the Python-list
mailing list