httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <>
Subject Re: [STATUS] 1.3
Date Thu, 03 Jul 1997 21:31:05 GMT
On Thu, 3 Jul 1997, Brian Behlendorf wrote:

> >> >  * status module available from .htaccess files; Ken posted patch
> >
> >If you have a handler like server-status and allow people to use
> >directives like SetHandler, anyone can make a page using that
> >handler, negating any restrictions you want placed on it.
> Ah, right.  What about making SetHandler RSRC_CONF only?  Is there a
> substantial reason why it should be OR_FILEINFO?

Yes. The same reason AddType is. They're the same. Well, actually,
SetHandler is the same as ForceType; AddHandler is the same as AddType.
(and yes, you can use AddHandler as well as SetHandler to "exploit" this
problem). At any rate, .htaccess and <Directory> sections need to be able
to reassociate filename extensions if they are allowed to. For example, I
might want to put a copy of the Apache docs on my server, and I might want
to put the following in an .htaccess file so that the headers/footers
worked out:

AddHandler server-parsed html

Other examples abound. The problem with status and info and the like is
that they do things that are at an administrative level, but use a
user-level directive to do so. It seemed like a good idea at the time, I
guess. Using SetHandler instead of creating a new directive (like
"Status /server-status") has the advantage that the module doesn't have to
do filename-to-uri translation, you can put in protection, etc...
Honestly, I don't know how to fix it easily, other than hacking something
into mod_status/mod_info that allows a RSRC_CONF-only directive to specify
"safe" locations to send status/info to.

Sorta like "Options Includes" and "Options ExecCGI". If you think about
it, that's exactly what those two directives do; allow the admin to
ensure the user can't do with CGIs and includes what they can do with
status/includes. So we could add (either as a generic thing or as specific
directives in mod_status/mod_info) Options-style directives that turn
on/off status/info-reporting. Make them OR_OPTIONS, and as long as the
.htaccess file isn't AllowOverride Option-ed, the status can be secure if
the admin wants to be, and insecure if it doesn't care.

-- Alexei Kosut <>

View raw message