httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: mod_status and not displaying the password in request
Date Fri, 30 Oct 1998 13:44:11 GMT
Rasmus Lerdorf wrote:
> 
> > Well, I consider things like the client's IP and the vhost itself
> > "sensitive" information. Heck, even the request itself could be
> > considered sensitive in that why should the world know that the
> > browser at 207.207.111.2 was looking at 'www.biguns.com' and requesting
> > 'GET /images/whatknockers.gif HTTP/1.0'
> 
> No fair!  http://www.biguns.com/images/whatknockers.gif doesn't exist.  If
> you want your argument to hold any water you need to use real data!  ;)
> 
> I still consider that information somewhat less sensitive than a password
> that will let someone into a protected area of the site and potentially
> execute transactions or whatever else might go along with that.
> 

I agree... there are levels of sensitivity and passwords are more
sensitive than simple request. I guess my point is that the server
module should allowed really be "allowed" for the web master him/herself
and never the public at large, in which case it's "less" of an issue.
And since we're talking a very priviledged person, they should be able
to see the whole request, since it could provide valuable info, like
when a client says "Hey, my password isn't working" and the admin can
look at the request and say "Hey, you aren't entering the right one".

Most probably I'll keep the current behavior, with maybe a compile-time
control or something...

-- 
===========================================================================
   Jim Jagielski   |||   jim@jaguNET.com   |||   http://www.jaguNET.com/
            "That's no ordinary rabbit... that's the most foul,
            cruel and bad-tempered rodent you ever laid eyes on"

Mime
View raw message