httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: mod_auth-any/1672: Authentication / .htaccess DoS attack (fwd)
Date Thu, 15 Jan 1998 06:56:30 GMT

On Wed, 14 Jan 1998, Brian Behlendorf wrote:

> I'm not yet ready to throw in the towel and say "we can't protect against
> internal users causing the machine to slow to a crawl and die" - I think we
> can take each case, especially the really cute ones like this, and do some
> sort of workaround.
> I don't understand why there's the sentiment that we need to do a stat()
> everywhere - wouldn't hardcoding the equivalent of 
> <Directory /dev>
> deny from all
> </directory>
> be sufficient?  Or are we trying to do this outside of mod_access?

Actually, though we are discussing a differnt type of file opening here,
this might be cheap solution; i.e. have a wrapper around _every_ open
call which adhers to 

# KeepOut: (Regex-es of) Directories and/or files; which are absolutely
#	   out of bound for any open().
KeepOut	^/dev	^/etc

(ignoring the chicken egg trouble with the config file; though that
gets read twice so you could catch it second time round :-)


View raw message