httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: apache-demo and mod_auth_msql.c
Date Thu, 13 Jun 1996 07:31:11 GMT
On Thu, 13 Jun 1996, Dirk.vanGulik wrote:
> Given that all these modules are potential security holes, I still am surprized
> to see *all* of them (apart from mod_auth.c) anywhere near the core releases.
> 
> How about having a separate directory with the access modules ?

Hmm, certainly putting them in a different directory doesn't make them
more secure or Apache any less vulnerable. :)  The only difference we
could make is distributing without the mod_auth* modules.  

The main potential for security problems I see is if the modules
allow access to requests without proper credentials... and I don't see
that as an entropic direction (i.e., if something fails within
authentication, it's much more likely to cause a correct password/user
combo to fail, than to cause an incorrect password/user combo to be
mistakenly granted access).  And in cases like msql, where we're
interfacing to an interface rather than mucking around in DBM land and
handling special formatting, it would seem like the implementation would
be rather straightforward and the most likely candidate for failure be on
the other side of the msql interface.  

Are you all tired of my zen programming analyses yet?

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS


Mime
View raw message