You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by Joshua Slive <jo...@slive.ca> on 2002/06/15 22:32:14 UTC
Re: cvs commit: httpd-2.0/docs/manual/vhosts fd-limits.html.en
rbowen@apache.org wrote:
> rbowen 2002/06/15 13:09:08
>
> Modified: docs/manual/vhosts fd-limits.html.en
> Log:
> Added configuration example, code example, and a little explanation, to
> facilitate logging all of your virtual hosts to a single file, and then
> splitting them back up after. Note that if Apache has problems with this
> many file handles, Perl might also. I'm not sure.
Note that there is a support script included with apache that does this:
http://cvs.apache.org/viewcvs.cgi/*checkout*/httpd-2.0/support/split-logfile.in?rev=1.2
or
http://httpd.apache.org/docs-2.0/programs/other.html
It is fairly similar to yours, but not quite the same. Both your script
and the one in httpd-2.0 are missing a necessary security fix from the
1.3 version (strip slashes from the vhost name).
Joshua.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: cvs commit: httpd-2.0/docs/manual/vhosts fd-limits.html.en
Posted by Tony Finch <do...@dotat.at>.
On Sun, Jun 16, 2002 at 06:55:45PM -0400, Joshua Slive wrote:
> Tony Finch wrote:
> > On Sat, Jun 15, 2002 at 10:15:17PM -0400, Joshua Slive wrote:
>
> >>I guess you can put pretty much whatever you like in the Host: header.
> >>It is not a major security whole, in my opinion, but it is better not
> >>allowed.
> >
> > Before this hole was fixed in 1.3 it exposed the password file etc.
>
> I don't believe so. You could only write to files with the .log extension.
I was thinking of users of mod_vhost_alias -- perhaps I should have
checked what started this thread :-)
Tony.
--
f.a.n.finch <do...@dotat.at> http://dotat.at/
SOUTHEAST TRAFALGAR: NORTHERLY 3 OR 4. MAINLY FAIR. GOOD.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: cvs commit: httpd-2.0/docs/manual/vhosts fd-limits.html.en
Posted by Joshua Slive <jo...@slive.ca>.
Tony Finch wrote:
> On Sat, Jun 15, 2002 at 10:15:17PM -0400, Joshua Slive wrote:
>>I guess you can put pretty much whatever you like in the Host: header.
>>It is not a major security whole, in my opinion, but it is better not
>>allowed. Cliff just checked in a fix to get rid of the problem in
>>httpd-2.0.
>
>
> Before this hole was fixed in 1.3 it exposed the password file etc.
I don't believe so. You could only write to files with the .log extension.
Joshua.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: cvs commit: httpd-2.0/docs/manual/vhosts fd-limits.html.en
Posted by Tony Finch <do...@dotat.at>.
On Sat, Jun 15, 2002 at 10:15:17PM -0400, Joshua Slive wrote:
> Rich Bowen wrote:
> >
> > Can you elaborate on that? Why would the vhost name ever have a slash in
> > it? I can see that it could be a security problem, but how would one
> > ever get in there?
Script kiddies.
> I guess you can put pretty much whatever you like in the Host: header.
> It is not a major security whole, in my opinion, but it is better not
> allowed. Cliff just checked in a fix to get rid of the problem in
> httpd-2.0.
Before this hole was fixed in 1.3 it exposed the password file etc.
Tony.
--
f.a.n.finch <do...@dotat.at> http://dotat.at/
IRISH SEA: SOUTHERLY 5 TO 7, OCCASIONALLY GALE 8. RAIN THEN FAIR. MODERATE
WITH FOG PATCHES BECOMING GOOD.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: cvs commit: httpd-2.0/docs/manual/vhosts fd-limits.html.en
Posted by Joshua Slive <jo...@slive.ca>.
Rich Bowen wrote:
> On Sat, 15 Jun 2002, Joshua Slive wrote:
>
>>It is fairly similar to yours, but not quite the same. Both your script
>>and the one in httpd-2.0 are missing a necessary security fix from the
>>1.3 version (strip slashes from the vhost name).
>
>
> Can you elaborate on that? Why would the vhost name ever have a slash in
> it? I can see that it could be a security problem, but how would one
> ever get in there?
I guess you can put pretty much whatever you like in the Host: header.
It is not a major security whole, in my opinion, but it is better not
allowed. Cliff just checked in a fix to get rid of the problem in
httpd-2.0.
Joshua.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: cvs commit: httpd-2.0/docs/manual/vhosts fd-limits.html.en
Posted by Rich Bowen <rb...@rcbowen.com>.
On Sat, 15 Jun 2002, Joshua Slive wrote:
> rbowen@apache.org wrote:
> > rbowen 2002/06/15 13:09:08
> >
> > Modified: docs/manual/vhosts fd-limits.html.en
> > Log:
> > Added configuration example, code example, and a little explanation, to
> > facilitate logging all of your virtual hosts to a single file, and then
> > splitting them back up after. Note that if Apache has problems with this
> > many file handles, Perl might also. I'm not sure.
>
> Note that there is a support script included with apache that does this:
> http://cvs.apache.org/viewcvs.cgi/*checkout*/httpd-2.0/support/split-logfile.in?rev=1.2
> or
> http://httpd.apache.org/docs-2.0/programs/other.html
I have *never* noticed that. And I was going to recommend that this
script be included in the bin directory so that people could just look
there, rather than having a full listing in the docs. I guess that's not
necessary. Recommendations? Should I just direct people to that instead?
> It is fairly similar to yours, but not quite the same. Both your script
> and the one in httpd-2.0 are missing a necessary security fix from the
> 1.3 version (strip slashes from the vhost name).
Can you elaborate on that? Why would the vhost name ever have a slash in
it? I can see that it could be a security problem, but how would one
ever get in there?
--
Pilgrim, how you journey on the road you chose
To find out where the winds die and where the stories go
--Pilgrim (Enya - A Day Without Rain)
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org