You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Roy T. Fielding" <fi...@kiwi.ics.uci.edu> on 1998/05/21 23:56:31 UTC
Re: cvs commit: apache-1.3/src/modules/standard mod_rewrite.c
> Make sure a MIME-type can be forced via a RewriteRule even when no
> substitution takes place, for instance via the following rule:
>
> RewriteRule ^myscript$ - [T=application/x-httpd-cgi]
>
> This was often requested by users (not only the submitter of the bug report)
> in the past to force a single script without a .cgi extension and outside any
> cgi-bin dirs to be executed as a CGI program.
This is only allowed in the main config files, right? Not .htaccess?
Otherwise it is a security hole.
....Roy
Re: cvs commit: apache-1.3/src/modules/standard mod_rewrite.c
Posted by Martin Kraemer <Ma...@mch.sni.de>.
On Thu, May 21, 1998 at 08:47:27PM -0700, Brian Behlendorf wrote:
> 3) put a <Directory /> section in access.conf-dist with very restrictive
> set of permissions, and detail in the installation pages how to add
> permissions for different directories.
Yeah. That's the best choice.
Martin
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
Re: cvs commit: apache-1.3/src/modules/standard mod_rewrite.c
Posted by Dean Gaudet <dg...@arctic.org>.
On Thu, 21 May 1998, Brian Behlendorf wrote:
> 3) put a <Directory /> section in access.conf-dist with very restrictive
> set of permissions, and detail in the installation pages how to add
> permissions for different directories.
+1
It's how most of us build our own servers, we've talked about this as
default for a long time...
Dean
Re: cvs commit: apache-1.3/src/modules/standard mod_rewrite.c
Posted by Gregory A Lundberg <lu...@vr.net>.
On Thu, 21 May 1998, Brian Behlendorf wrote:
> 3) put a <Directory /> section in access.conf-dist with very restrictive
> set of permissions, and detail in the installation pages how to add
> permissions for different directories.
how I do it
----
Gregory A Lundberg Senior Partner, VRnet Company
1441 Elmdale Drive lundberg@vr.net
Kettering, OH 45409-1615 USA 1-800-809-2195
Re: cvs commit: apache-1.3/src/modules/standard mod_rewrite.c
Posted by Brian Behlendorf <br...@hyperreal.org>.
At 07:42 PM 5/21/98 -0600, you wrote:
>"the" default Apache config _does_ have it enabled from a quick glance.
>
>It allows ~userdir requests, and doesn't have an Options setting for user
>dirs which means they get Options All.
Ah, right. We could fix this before 1.3.0. There are a number of ways:
1) don't enable mod_userdir in default Configuration.tmpl
Ick, I think people would submit bug reports about it
being missing.
2) comment out UserDir directive in srm.conf-dist
Better, but it doesn't address the lack of security
contexts.
3) put a <Directory /> section in access.conf-dist with very restrictive
set of permissions, and detail in the installation pages how to add
permissions for different directories.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
pure chewing satisfaction brian@apache.org
brian@hyperreal.org
Re: cvs commit: apache-1.3/src/modules/standard mod_rewrite.c
Posted by Marc Slemko <ma...@worldgate.com>.
On Thu, 21 May 1998, Brian Behlendorf wrote:
> At 04:04 PM 5/21/98 -0700, Brian Behlendorf wrote:
> >At 02:56 PM 5/21/98 -0700, Roy T. Fielding wrote:
> >>> Make sure a MIME-type can be forced via a RewriteRule even when no
> >>> substitution takes place, for instance via the following rule:
> >>>
> >>> RewriteRule ^myscript$ - [T=application/x-httpd-cgi]
> >>>
> >>> This was often requested by users (not only the submitter of the bug
> >report)
> >>> in the past to force a single script without a .cgi extension and
> >outside any
> >>> cgi-bin dirs to be executed as a CGI program.
This is easy enough to do using ForceType without needing mod_rewrite.
That doesn't, of course, mean mod_rewrite shouldn't be able to do it.
> >>
> >>This is only allowed in the main config files, right? Not .htaccess?
> >>Otherwise it is a security hole.
> >
> >Hmm, this is true: even if Options ExecCGI is unset, the CGI script will
> >be executed.
>
> No, I'm sorry, my testing rig was messed up. This is not the case. Even
> if a script is tagged "application/x-httpd-cgi" in a .htaccess file using
> this mechanism, it will NOT be run if the ExecCGI option is not enabled.
>
> Since your default configuration out-of-the-box does not have "ExecCGI"
> enabled, it is an explicit decision by the configurator to enable it, and
"the" default Apache config _does_ have it enabled from a quick glance.
It allows ~userdir requests, and doesn't have an Options setting for user
dirs which means they get Options All.
Re: cvs commit: apache-1.3/src/modules/standard mod_rewrite.c
Posted by Brian Behlendorf <br...@hyperreal.org>.
At 04:04 PM 5/21/98 -0700, Brian Behlendorf wrote:
>At 02:56 PM 5/21/98 -0700, Roy T. Fielding wrote:
>>> Make sure a MIME-type can be forced via a RewriteRule even when no
>>> substitution takes place, for instance via the following rule:
>>>
>>> RewriteRule ^myscript$ - [T=application/x-httpd-cgi]
>>>
>>> This was often requested by users (not only the submitter of the bug
>report)
>>> in the past to force a single script without a .cgi extension and
>outside any
>>> cgi-bin dirs to be executed as a CGI program.
>>
>>This is only allowed in the main config files, right? Not .htaccess?
>>Otherwise it is a security hole.
>
>Hmm, this is true: even if Options ExecCGI is unset, the CGI script will
>be executed.
No, I'm sorry, my testing rig was messed up. This is not the case. Even
if a script is tagged "application/x-httpd-cgi" in a .htaccess file using
this mechanism, it will NOT be run if the ExecCGI option is not enabled.
Since your default configuration out-of-the-box does not have "ExecCGI"
enabled, it is an explicit decision by the configurator to enable it, and
thus to allow CGI scripts to be run. So the only argument that it is a
security hole could be that the administrator did not set an addhandler or
addtype directive; yet a user can also override that if they can override
the "fileinfo" class of directives, which by the way RewriteRule is also
cloistered by.
I looked through our "security tips" document to make sure that was
consistant.
>Ralf, for the time being I'm going to reverse your patch so we can roll a
>release.
Nope, not going to reverse it. Sorry for the mistake.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
pure chewing satisfaction brian@apache.org
brian@hyperreal.org
Re: cvs commit: apache-1.3/src/modules/standard mod_rewrite.c
Posted by Brian Behlendorf <br...@hyperreal.org>.
At 02:56 PM 5/21/98 -0700, Roy T. Fielding wrote:
>> Make sure a MIME-type can be forced via a RewriteRule even when no
>> substitution takes place, for instance via the following rule:
>>
>> RewriteRule ^myscript$ - [T=application/x-httpd-cgi]
>>
>> This was often requested by users (not only the submitter of the bug
report)
>> in the past to force a single script without a .cgi extension and
outside any
>> cgi-bin dirs to be executed as a CGI program.
>
>This is only allowed in the main config files, right? Not .htaccess?
>Otherwise it is a security hole.
Hmm, this is true: even if Options ExecCGI is unset, the CGI script will
be executed.
Ralf, for the time being I'm going to reverse your patch so we can roll a
release. The "right fix", it seems, is to decide which is the "absolute"
indicator of script security policy: is it "ExecCGI is set" or
is it "application/x-httpd-cgi is the MIME type"? If the former we need to
modify mod_cgi.c; if the latter we need to prevent applications/x-httpd-cgi
from being able to be set in .htaccess files in mod_rewrite. My strong
vote is for the former.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
pure chewing satisfaction brian@apache.org
brian@hyperreal.org