You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Stefan Fritsch <sf...@sfritsch.de> on 2012/11/06 09:44:48 UTC
Re: New module mod_allowhandlers / Controlling script execution
Hi,
On Sat, 21 Apr 2012, Jeff Trawick wrote:
>> there is the problem that if modules like mod_status or
>> mod_proxy_balancer are loaded, all people with permissions to create
>> .httaccess files can use the status pages by using SetHandler in an
>> .htaccess file.
>
> My 2 cents:
>
> SetHandler shouldn't be used to enable these because it requires an
> unnecessary filesystem walk and only requires a very small amount of
> code to implement a flag directive. Having ServerStatus On|Off
> anywhere in the configuration would disable the check for r->handler
> == "status-handler" (migration).
I must admit that I haven't looked into why they use the handler for
configuration. But my feeling is that we won't get rid of modules doing
it this in the forseeable future.
> Is the use of handler by these a feature though, such as needing to
> let other modules generate these reports by some mechanism other than
> using a subrequest for or redirecting to the location where it is
> enabled? I don't know how smooth mod_allowhandler would be for that
> anyway.
It does the checks at the end of the fixup hook, which seems to work with
the setups I could think of. But more testing is needed, of course.
> There are other situations where mod_allowhandlers would be helpful,
> but I think we could provide a simpler mechanism (flag) for the
> several sensitive handlers in bundled modules.
I think having it in trunk would be nice to find problems with this
approach. Unless someone disagrees, I am going to commit it. Backport to
2.4 can wait until we are sure that it is a good solution.
Cheers,
Stefan
Re: New module mod_allowhandlers / Controlling script execution
Posted by Jeff Trawick <tr...@gmail.com>.
On Tuesday, November 6, 2012, Stefan Fritsch wrote:
> Hi,
>
> On Sat, 21 Apr 2012, Jeff Trawick wrote:
>
>> there is the problem that if modules like mod_status or
>>> mod_proxy_balancer are loaded, all people with permissions to create
>>> .httaccess files can use the status pages by using SetHandler in an
>>> .htaccess file.
>>>
>>
>> My 2 cents:
>>
>> SetHandler shouldn't be used to enable these because it requires an
>> unnecessary filesystem walk and only requires a very small amount of
>> code to implement a flag directive. Having ServerStatus On|Off
>> anywhere in the configuration would disable the check for r->handler
>> == "status-handler" (migration).
>>
>
> I must admit that I haven't looked into why they use the handler for
> configuration. But my feeling is that we won't get rid of modules doing it
> this in the forseeable future.
>
> Is the use of handler by these a feature though, such as needing to
>> let other modules generate these reports by some mechanism other than
>> using a subrequest for or redirecting to the location where it is
>> enabled? I don't know how smooth mod_allowhandler would be for that
>> anyway.
>>
>
> It does the checks at the end of the fixup hook, which seems to work with
> the setups I could think of. But more testing is needed, of course.
>
> There are other situations where mod_allowhandlers would be helpful,
>> but I think we could provide a simpler mechanism (flag) for the
>> several sensitive handlers in bundled modules.
>>
>
> I think having it in trunk would be nice to find problems with this
> approach. Unless someone disagrees, I am going to commit it. Backport to
> 2.4 can wait until we are sure that it is a good solution.
+1
>
> Cheers,
> Stefan
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/