httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ed Korthof ...@organic.com>
Subject [PATCH]: check_hostalias (was Re: [STATUS] 1.2.5....)
Date Mon, 29 Sep 1997 06:37:10 GMT
There are several bugs I noted a while ago in 1.2.x, regarding name-based
virtual hosts.  I wrote some patches, but then got caught up in other
stuff before I finished testing and cleaning them up.

The first problem is mixing port- and name-based virtual hosts.  This is
not a common situation, but basically, if you have a name-based virtual
host (ie it shares IPs and its port w/ the main server), then it will not
be available on any of the ip:port entries before the last one in the
<VirtualHost> line, which have a different port than the last item.
(Unless the last item has port '*' and the Port directive is not used.) If
the Port directive is used, it takes the place of the last port statement
in the VirtualHost line.

The second problem is a potential security hole. It's fairly minor, but
is something people might easily overlook: if any virtual host is
protected by packet-filter or firewall ip based rules, but not by Apache's
ip-based protection (which is plausible, if unlikely), then that host may
be accessible through it's name (given a couple of conditions which I can
outline) -- something you would not (IMO) expect w/o reading the code.

Anyway, the attached patch solves these two issues; I believe it does not
alter Apache's behavior in any other way.

My understanding (after speaking w/ Alexei) is that this second item was
left in due to the possibility of someone switching DNS -- it's entirely
plausible that during a time of transition for name-based virtual hosts,
this could cause a period of inaccessibility.  However, that can be dealt
with use ServerAlias, which was (and is, after this patch) a kind of wild
card.

It's certainly possible to fix the first item w/o doing the second one --
if people want to do that, that's fine with me.  But the second item will
not cause any problems accept as noted above, during DNS transitions; and
there are ways around that.  It is a small bug, but again, it's one people
might well overlook and never realize they were missing it.

     -- Ed Korthof        |  Web Server Engineer --
     -- ed@organic.com    |  Organic Online, Inc --
     -- (415) 278-5676    |  Fax: (415) 284-6891 --

On Thu, 25 Sep 1997, Dean Gaudet wrote:

> No timeline.  1.3b1 should be released first.

Mime
View raw message