httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: A feature patch to NPH-ize existing CGI (CGI standard safe)
Date Thu, 24 Aug 1995 20:51:07 GMT
   From: Rob Hartill <hartill@ooo.lanl.gov>
   Date: Thu, 24 Aug 95 13:10:49 MDT

   Attached is a patch which is not a bug fix, but what the hell, it
   might be worth playing with, and ultimately merged into a working Apache.

Saved and noted --- I'm collecting these things.  However, I'm not
sure that further improvements on nph- are really the way to go.

With HTTP/1.1 keepalives, nph opens a pretty substantial security
hole; a rogue NPH script can send "Connection: Keep-alive" as part of
the headers, and masquerade as the server thereafter, collecting
authorization info which is ordinarily denied to CGI scripts (by
redirecting the client into the authorized area if necessary) and
putting up fake versions of other documents on the server, for as long
as the client holds the connection open.

With HTTP-NG (multiple simultaneous logical connections over a single,
multiplexed TCP stream) the situation is even worse; the server would
have to somehow synchronize with the script about who gets to write
to (and read from) the connection when, and trust the script to
maintain the integrity of the packet protocol --- not a pleasant
prospect.

At the very least, any future wrinkles on nph- should probably attempt
to deal with these issues.

   Some quick tests on my HP showed that response times for the NPH-esque
   versions of the same script gave responses which were 40% quicker. Not
   a big surprise when you consider all the process<->process data xfer that
   goes on between Apache and CGI. The only real drawback I can see is that
   Apache isn't able to log Status and bytes-sent for NPH, but for people
   who don't care about these things (I don't) it's a small price to pay.

Hmmm... for strictly local transfers, this may be the case, but I
suspect that on the Net at large, most connections are bandwidth
limited in any case.  In any case, there are other ways to get the
same speedup --- have the script cache its output in a file, and
redirect the server to the file (slower the first time, when the
cached entry has to be built, but much faster afterwards) --- Mark
Torrance's stocks pages here do some of this, particularly with the
mutual funds graphs.

rst

Mime
View raw message