httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: cvs commit: apache-1.3 STATUS
Date Mon, 04 May 1998 05:36:18 GMT
On Mon, 4 May 1998, Michael Douglass wrote:

> >   +    * The DoS issue about symlinks to /dev/zero is still present.
> >   +      A device checker patch had been sent to the list a while ago.
> >   +      Msg-Id: ?
> >   +       Jim: Couldn't we just use stat() and check the file-type?
> >   +            stats are expensive though...
> 
> I was just sitting here thinking of a way to handle this.  Instead of
> trying to detect this information every time you transfer a file; how
> about proceeding with the transfer as you do now, but after X bytes
> being transfered stop and check the file.  If it's a regular file
> keep going, otherwise end the current connection and log the item
> with red flags.

The thing is that this isn't just files sent to the client, but is any
files used for things like htpasswd, etc. that the user can control in the
htaccess file.  Generally, a DoS attack isn't very interesting if it just
involves sending x bytes to the client where x is large.  It only grows
interesting when you can process x bytes without sending x bytes.

> 
> Another interesting thought is to have this same logic add the filename
> to a list of 'bad' filenames to compare against before transfering.  This
> would mean that you would transfer X bytes of the device file once per
> child; and then, from that point on, it would only log it in the errorlog.
> The denying access could be handled by a module; but the transfer of the
> file itself is in the core apache is it not?
> 
> Hrmm...  Anyone have any thoughts on a 'critical_log'?  Seems that the
> 'error_log' can get full of useless information.  Perhaps for 2.0?
> 
> Enjoy,
> 
> P.S.  Anyone going to Networld+Interop in Vegas?  I'd be more than
>       interested in meeting some of you apache people.

We Apache people would be interested in meeting us APach epeople too.  <g>

> 
> -- 
> Michael Douglass
> Texas Networking, Inc.
> 
>   <msmith> it's raining...it's pouring...the old man...
>   *** Describe: msmith shuts up now.
> 


Mime
View raw message