You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Eric Covener <co...@gmail.com> on 2017/04/27 17:51:47 UTC
Re: svn commit: r1792169 - in /httpd/httpd/trunk: CHANGES
include/ap_mmn.h include/httpd.h modules/generators/mod_status.c
modules/proxy/mod_proxy.c server/config.c server/util.c
On Fri, Apr 21, 2017 at 4:44 AM, <ni...@apache.org> wrote:
> + /* A request that has passed through .htaccess has no business
> + * landing up here.
> + */
> + if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
> + return DECLINED;
> + }
> +
If AllowOverride is enabled for the document root an d an htaccess is
present, this renders /server-status unreachable, regardless of
what's in the htaccess. If we're going to block this by default, we
might as well just stop configuring it with SetHandler and then the
taint checking is not needed.
We also have in another thread the issue with RewriteRule ... [P] in
htaccess being blocked. We need some kind of way to express a policy
that will be unique to different handlers.
--
Eric Covener
covener@gmail.com
Re: svn commit: r1792169 - in /httpd/httpd/trunk: CHANGES
include/ap_mmn.h include/httpd.h modules/generators/mod_status.c
modules/proxy/mod_proxy.c server/config.c server/util.c
Posted by Eric Covener <co...@gmail.com>.
The rewrite case was failing in the test suite. I removed both checks
in r1792169.
On Mon, May 8, 2017 at 8:04 PM, Eric Covener <co...@gmail.com> wrote:
> On Thu, Apr 27, 2017 at 1:51 PM, Eric Covener <co...@gmail.com> wrote:
>> On Fri, Apr 21, 2017 at 4:44 AM, <ni...@apache.org> wrote:
>>> + /* A request that has passed through .htaccess has no business
>>> + * landing up here.
>>> + */
>>> + if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
>>> + return DECLINED;
>>> + }
>>> +
>>
>> If AllowOverride is enabled for the document root an d an htaccess is
>> present, this renders /server-status unreachable, regardless of
>> what's in the htaccess. If we're going to block this by default, we
>> might as well just stop configuring it with SetHandler and then the
>> taint checking is not needed.
>>
>> We also have in another thread the issue with RewriteRule ... [P] in
>> htaccess being blocked. We need some kind of way to express a policy
>> that will be unique to different handlers.
>
> bump? Right now the only two protected handlers are blocking pretty
> routine configurations.
--
Eric Covener
covener@gmail.com
Re: svn commit: r1792169 - in /httpd/httpd/trunk: CHANGES
include/ap_mmn.h include/httpd.h modules/generators/mod_status.c
modules/proxy/mod_proxy.c server/config.c server/util.c
Posted by Eric Covener <co...@gmail.com>.
On Thu, Apr 27, 2017 at 1:51 PM, Eric Covener <co...@gmail.com> wrote:
> On Fri, Apr 21, 2017 at 4:44 AM, <ni...@apache.org> wrote:
>> + /* A request that has passed through .htaccess has no business
>> + * landing up here.
>> + */
>> + if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
>> + return DECLINED;
>> + }
>> +
>
> If AllowOverride is enabled for the document root an d an htaccess is
> present, this renders /server-status unreachable, regardless of
> what's in the htaccess. If we're going to block this by default, we
> might as well just stop configuring it with SetHandler and then the
> taint checking is not needed.
>
> We also have in another thread the issue with RewriteRule ... [P] in
> htaccess being blocked. We need some kind of way to express a policy
> that will be unique to different handlers.
bump? Right now the only two protected handlers are blocking pretty
routine configurations.