You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Nick Kew <ni...@webthing.com> on 2010/07/28 03:46:35 UTC
Untainting an incoming request
I've just hacked up a module to perform simple security checks on
an incoming request. Loosely inspired by Perl's untainting.
It implements untainting rules. Each rule matches a request attribute
to a regexp, and can either:
(a) enforce a match, and return an error (default: 400) if it doesn't match.
or
(b) untaint a request attribute Perl-style
It supports untainting components of the request line, and any request header.
TODO: support untainting of parsed query args.
No plans for anything more ambitious like checking POST data (use mod_security).
Drop it in to trunk?
--
Nick Kew
Re: Untainting an incoming request
Posted by Dan Poirier <po...@pobox.com>.
Example usage?
Just to better understand the scope, can this do things that one
couldn't do (however painfully) with mod_rewrite?
Dan