You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Eric Covener <co...@gmail.com> on 2017/05/09 00:04:15 UTC

Re: svn commit: r1792169 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/httpd.h modules/generators/mod_status.c modules/proxy/mod_proxy.c server/config.c server/util.c

On Thu, Apr 27, 2017 at 1:51 PM, Eric Covener <co...@gmail.com> wrote:
> On Fri, Apr 21, 2017 at 4:44 AM,  <ni...@apache.org> wrote:
>> +    /* A request that has passed through .htaccess has no business
>> +     * landing up here.
>> +     */
>> +    if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
>> +        return DECLINED;
>> +    }
>> +
>
> If AllowOverride is enabled for the document root an d an htaccess is
> present,  this renders /server-status unreachable, regardless of
> what's in the htaccess. If we're going to block this by default, we
> might as well just stop configuring it with SetHandler and then the
> taint checking is not needed.
>
> We also have in another thread the issue with RewriteRule ... [P] in
> htaccess being blocked.  We need some kind of way to express a policy
> that will be unique to different handlers.

bump? Right now the only two protected handlers are blocking pretty
routine configurations.

Re: svn commit: r1792169 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/httpd.h modules/generators/mod_status.c modules/proxy/mod_proxy.c server/config.c server/util.c

Posted by Eric Covener <co...@gmail.com>.

The rewrite case was failing in the test suite. I removed both checks
in r1792169.

On Mon, May 8, 2017 at 8:04 PM, Eric Covener <co...@gmail.com> wrote:
> On Thu, Apr 27, 2017 at 1:51 PM, Eric Covener <co...@gmail.com> wrote:
>> On Fri, Apr 21, 2017 at 4:44 AM,  <ni...@apache.org> wrote:
>>> +    /* A request that has passed through .htaccess has no business
>>> +     * landing up here.
>>> +     */
>>> +    if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
>>> +        return DECLINED;
>>> +    }
>>> +
>>
>> If AllowOverride is enabled for the document root an d an htaccess is
>> present,  this renders /server-status unreachable, regardless of
>> what's in the htaccess. If we're going to block this by default, we
>> might as well just stop configuring it with SetHandler and then the
>> taint checking is not needed.
>>
>> We also have in another thread the issue with RewriteRule ... [P] in
>> htaccess being blocked.  We need some kind of way to express a policy
>> that will be unique to different handlers.
>
> bump? Right now the only two protected handlers are blocking pretty
> routine configurations.



-- 
Eric Covener
covener@gmail.com