You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2007/10/25 15:23:04 UTC

DO NOT REPLY [Bug 43698] New: - Apache AllowOverride Groups Reorganize Proposal

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43698>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43698

           Summary: Apache AllowOverride Groups Reorganize Proposal
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: minor
          Priority: P5
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: tobia.caneschi@register.it


Hello,

I'm it specialist of a big italian hoster.

The problem that i solved is this:

Currently every major hoster that offers shared hosting service as the problem
to give a chance to its customers to use rewriterule by Htaccess.

At the same time there is the problem of maintaining security and privacy (being
a shared environment). This, for us, is currently managed by cgiwrap, which puts
between apache and php/perl and creates a chroot environment where the customer
can not exit.

The rewriterule have become necessary because most famous cms such as WordPress,
Joomla etc. to use rewriterule for give back to browser the url without query
string (the famous permalink) for the search engine indexing improve scoring.

The problem is that activating the directives rewrite some other directives that
are very dangerous for a shared hosting is activating too. For example
AddHandler, SetHandler, ForceType.

Through these directives in Htaccess file any one of our client (or a cracker
with cross-site-scripting) can activate any scripting system on an extension to
his choice would not be intercepted by cgiwrap.

At that point the execution of this script would in a chroot environment where
the user can see other users' files.

With these patches I moved all directives related to activation of executions
cgi from group FileInfo to group Options (not give to users).

I created this patch for reorganizing groups in allowoverride

The directives passed by the group that FileInfo to Options is
--------------------------------------------------------------
CORE
ForceType, SetHandler, SetOutputFilter, SetInputFilter, AddOutputFilterByType

MOD_ACTION
Action

MOD_MIME
AddHandler, AddInputFilter, AddOutputFilter, AddType

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 43698] - Apache AllowOverride Groups Reorganize Proposal

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43698>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43698





------- Additional Comments From tobia.caneschi@register.it  2007-10-25 06:28 -------
Created an attachment (id=21042)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=21042&action=view)
mod_mime patch

Moved some directives from FileInfo to Options group

MOD_MIME
AddHandler,AddInputFilter,AddOutputFilter,AddType

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 43698] - Apache AllowOverride Groups Reorganize Proposal

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43698>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43698





------- Additional Comments From tobia.caneschi@register.it  2007-10-25 06:43 -------
it's true, you centered the problem, but in my case create a new group would
breaks existing installations too. And then for quickly solution i moved the
directive. 

I agree with you on the best solution. I just sent this issue to find a solution
in future versions of apache.


(In reply to comment #4)
> The trouble is that these are *NOT* Options, and so adding them to Options makes
> no sense at all.
> 
> Adding a new AllowOverride group entirely, I could understand, or, better still,
> adding the kind of handling to every AllowOverride argument that Options has
> (Options[=Option,...]) but moving stuff from one categorization to another
> breaks existing installations and make the categories seem rather arbitrary.
> 



-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 43698] - Apache AllowOverride Groups Reorganize Proposal

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43698>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43698





------- Additional Comments From rbowen@apache.org  2007-10-25 06:35 -------
The trouble is that these are *NOT* Options, and so adding them to Options makes
no sense at all.

Adding a new AllowOverride group entirely, I could understand, or, better still,
adding the kind of handling to every AllowOverride argument that Options has
(Options[=Option,...]) but moving stuff from one categorization to another
breaks existing installations and make the categories seem rather arbitrary.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 43698] - Apache AllowOverride Groups Reorganize Proposal

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43698>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43698





------- Additional Comments From tobia.caneschi@register.it  2007-10-25 06:29 -------
Created an attachment (id=21043)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=21043&action=view)
mod_actions patch

Moved directive "Action" from FileInfo to Options

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 43698] - Apache AllowOverride Groups Reorganize Proposal

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43698>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43698





------- Additional Comments From tobia.caneschi@register.it  2007-10-25 06:27 -------
Created an attachment (id=21041)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=21041&action=view)
Core patch

Moved directives from FileInfo group to Options:
ForceType,SetHandler,SetOutputFilter,SetInputFilter,AddOutputFilterByType


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org