httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: cvs commit: apache-1.3 STATUS
Date Tue, 05 May 1998 06:02:27 GMT
Marc Slemko wrote:
> 
> On Mon, 4 May 1998, Jim Jagielski wrote:
> 
> > Sorry if I wasn't clear... for the config-files, it's most likely
> > safe and "best" to only allow for /dev/null and no other device
> > files. Since ap_pcfg_openfile() is only done for config files, it's
> > not a big deal doing the fstat and is, in fact, wise, hence the
> > smiley
> 
> Except that "config files" include htaccess files and other files that are
> opened, right?
> 
> The extra effort for htaccess files can be written off by claiming
> (probably validly) that you already have far more overhead by opening the
> htaccess files and people should simply move the htaccess to the *.conf
> files.  Stuff like htpasswd files aren't the same.
> 

To me, it looks like the DoS attack would also affect .htaccess
as well as imap files and the password and group files, wouldn't
it? If you throw in the mime file in mod_mime, I think those are
the only files opened with ap_pcfg_openfile(). I think the overhead
might make sense in these limited cases.

-- 
===========================================================================
   Jim Jagielski   |||   jim@jaguNET.com   |||   http://www.jaguNET.com/
            "That's no ordinary rabbit... that's the most foul,
            cruel and bad-tempered rodent you ever laid eyes on"

Mime
View raw message