Return-Path: Delivered-To: new-httpd-archive@hyperreal.org Received: (qmail 26430 invoked by uid 6000); 15 Jan 1998 06:58:09 -0000 Received: (qmail 26422 invoked from network); 15 Jan 1998 06:58:07 -0000 Received: from mrelay.jrc.it (139.191.1.65) by taz.hyperreal.org with SMTP; 15 Jan 1998 06:58:07 -0000 Received: from elec.isei.jrc.it by mrelay.jrc.it (LMC5688) with SMTP id HAA11638; Thu, 15 Jan 1998 07:58:01 +0100 (MET) Received: from elect6.jrc.it by elec.isei.jrc.it (4.1/EI-3.0m) id AA22351; Thu, 15 Jan 98 07:57:26 +0100 Posted-Date: Thu, 15 Jan 1998 07:56:30 +0100 (MET) Date: Thu, 15 Jan 1998 07:56:30 +0100 (MET) From: Dirk-Willem van Gulik X-Sender: dirkx@elect6.jrc.it To: Brian Behlendorf Cc: new-httpd@apache.org Subject: Re: mod_auth-any/1672: Authentication / .htaccess DoS attack (fwd) In-Reply-To: <3.0.3.32.19980114145527.008da4a0@localhost> Message-Id: Reply-Path: Dirk.vanGulik@jrc.it Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@apache.org On Wed, 14 Jan 1998, Brian Behlendorf wrote: > I'm not yet ready to throw in the towel and say "we can't protect against > internal users causing the machine to slow to a crawl and die" - I think we > can take each case, especially the really cute ones like this, and do some > sort of workaround. > > I don't understand why there's the sentiment that we need to do a stat() > everywhere - wouldn't hardcoding the equivalent of > > > deny from all > > > be sufficient? Or are we trying to do this outside of mod_access? Actually, though we are discussing a differnt type of file opening here, this might be cheap solution; i.e. have a wrapper around _every_ open call which adhers to # KeepOut: (Regex-es of) Directories and/or files; which are absolutely # out of bound for any open(). KeepOut ^/dev ^/etc (ignoring the chicken egg trouble with the config file; though that gets read twice so you could catch it second time round :-) DW.