Hello,
Hopefully this is a simple yes/ no question but time will tell :)
If you have an apache website running a simple .cgi script
And protecting this script a standard .htaccess file.
Is it safe to trust $ENV{'REMOTE_USER'}; in a script to inject the usename for later processing.
For example:
Can a user once logged into the .htaccess area change the $ENV{'REMOTE_USER'}; variable to another name.
Thus making it not safe to presume $ENV{'REMOTE_USER'}; is still the correct user?
I hope to use $ENV{'REMOTE_USER'}; to base what a user can/cannot view on the site. Having written the code I’m now unsure if I have opened up a whole new security problem.
Your advice and suggestions would be much appreciated.
Regards,
Gareth