Fun thttpd feature
If I put a cgi script into a password protected directory, thttpd assigns the auth username to REMOTE_USER, then passes it down to the cgi script. All well and good, and as you'd expect.
But if that cgi script is actually a softlink to a cgi script somewhere else, thttpd cheerfully discards the REMOTE_USER variable and passes, um, nothing down to the cgi script, despite the teeny detail that you need to actually auth your way into the directory that contains this softlink to elsewhere.
*sigh*
So I need to continue using the traditional bodge of having a shell script in the protected directory that execs the actual cgi script that's sitting somewhere else. Grumble grumble http grumble grumble security hole grumble.