httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@kiwi.ICS.UCI.EDU>
Subject Re: [PATCH] limiting server-info's accessibility
Date Mon, 17 Feb 1997 01:46:10 GMT
In message <97021614145295@decus.org>, Rodent of Unusual Size writes:
>    Reminder of the problem: *any*one can put directives into a
>    .htaccess file (e.g., "AddHandler server-{status,info} spy") that
>    permit access to the configuration details.  I think this
>    *definitely* needs to be fixed before 1.2 final.
>
>    After working on this one for a few days, the simplest thing (for
>    1.2 at least) appears to be to pursue Rob's suggestion to add
>    limiting directives.  I've worked up an experimental patch to
>    mod_info to do this, which is included below.  If this gets enough
>    +1s, I'll duplicate the work for mod_status.

Nope, -1.  This is definitely a feature change.  If the reporter is
concerned about that level of security, then they'll need to do more
than this in any case, and it is a simple two-line addition to
the modules if they want to hard-code the URL themselves.

....Roy

Mime
View raw message