You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Nick Kew <ni...@webthing.com> on 2010/07/28 03:46:35 UTC

Untainting an incoming request

I've just hacked up a module to perform simple security checks on
an incoming request.  Loosely inspired by Perl's untainting.

It implements untainting rules.  Each rule matches a request attribute
to a regexp, and can either:
  (a) enforce a match, and return an error (default: 400) if it doesn't match.
or
  (b) untaint a request attribute Perl-style

It supports untainting components of the request line, and any request header.
TODO: support untainting of parsed query args.
No plans for anything more ambitious like checking POST data (use mod_security).

Drop it in to trunk?

-- 
Nick Kew

Re: Untainting an incoming request

Posted by Dan Poirier <po...@pobox.com>.

Example usage?

Just to better understand the scope, can this do things that one
couldn't do (however painfully) with mod_rewrite?

Dan