httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: [PATCH] limiting server-info's accessibility
Date Sun, 16 Feb 1997 21:13:20 GMT
On Sun, 16 Feb 1997, Rodent of Unusual Size wrote:

>     Reminder of the problem: *any*one can put directives into a
>     .htaccess file (e.g., "AddHandler server-{status,info} spy") that
>     permit access to the configuration details.  I think this
>     *definitely* needs to be fixed before 1.2 final.
> 
>     After working on this one for a few days, the simplest thing (for
>     1.2 at least) appears to be to pursue Rob's suggestion to add
>     limiting directives.  I've worked up an experimental patch to
>     mod_info to do this, which is included below.  If this gets enough
>     +1s, I'll duplicate the work for mod_status.
> 
>     I also added a function to util.h to return the raw URI minus any
>     path-info.  mod_info currently allows selection of finer details
>     via arguments, and it seems reasonable that path-info might also be
>     used to convey instructions to handlers.  I added base_uri() so that
>     the "am I allowed here?" decision will be unaffected by such added
>     data.  Of course, I'm still not all that familiar with lots of the
>     code, so I may have duplicated something already available.  {sigh}
> 
>     The directive is "InfoOnlyVia <uri>...", and it's only allowed in
>     the server configuration.
> 
>     One down-side to this is that anyone that uses the info module will
>     need to add InfoOnlyVia directives at 1.2 upgrade time in order to
>     keep the functionality..

While I like the idea and feel it is important (someone can get info
almost as good as from the access logs by just checking the server
status page once in a while) I'm wondering if it is perhaps a bit 
late.  

What about putting it in contrib, and adding a warning to the docs
with a pointer to it?  People would need to change their configs
anyway, so adding a patch isn't that hard.



Mime
View raw message