authentication for xmlrpc via cgi

[qhfgva]

I'm using python 2.2 (hopefully we'll be upgrading our system to 2.3
soon) and I'm trying to prototype some xml-rpc via cgi functionality.
If I override the Transport class on the xmlrpclib client and add some
random header like "Junk", then when I have my xmlrpc server log it's
environment when running, I see the HTTP_JUNK header. If I do this
with AUTHORIZATION, the header is not found.

Does this ring a bell for anyone? Am I misunderstanding how to use
this header? I'm guessing that Apache might be eating this header, but
I don't know why.

thanks,

dustin

 

[David M. Cooke]

I'm using python 2.2 (hopefully we'll be upgrading our system to 2.3
soon) and I'm trying to prototype some xml-rpc via cgi functionality.
If I override the Transport class on the xmlrpclib client and add some
random header like "Junk", then when I have my xmlrpc server log it's
environment when running, I see the HTTP_JUNK header. If I do this
with AUTHORIZATION, the header is not found.

Does this ring a bell for anyone? Am I misunderstanding how to use
this header? I'm guessing that Apache might be eating this header, but
I don't know why.

By default, Apache does eat that. It's a compile time default; the
Apache developers think it's a security hole. Here's a note about it:

http://httpd.apache.org/dev/apidoc/apidoc_SECURITY_HOLE_PASS_AUTHORIZATION.html

From what I can see, this is still true in Apache 2.