Re: CGI and REMOTE_USER

Rob McCool (robm@ncsa.uiuc.edu)
Thu, 20 Jan 1994 15:22:16 -0600


/*
* Re: CGI and REMOTE_USER
* written on Jan 19, 11:49am.
*
* I only object to the name. It should really be something like
* REMOTE_IDENT. We don't want to promote the fallacies that
* RFC931 gives you the username and, especially, that the information
* it gives you is useful for anything but audit information.

Hmmm, a good point. It is trivial to forge this information and LOGNAME
implies that the variable is really the remote username.

Okay, so how about REMOTE_IDENT? Anyone object to that?

* Along those lines, it should probably be base64 encoded since
* it could be binary.
*/

Why? I see nothing in the RFC which implies that it could be binary, in
fact, the reply is specified to be terminated by a CR/LF pair. Is there
something I'm not reading correctly? Similarly, rfc931.c uses fgets to read
the server's reply which would probably be munged horribly by binary output
from the server.

--Rob