httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Stoddard" <stodd...@raleigh.ibm.com>
Subject Re: cvs commit: httpd-2.0/server config.c
Date Tue, 27 Mar 2001 21:19:47 GMT
> Isn't this a huge security whole?  You have basically allowed somebody to
> server information off a web server without even checking for
> authentication.

It is up to the module author using the quick_handler hook to do the right
thing.  Consider Mike Abbott's quick shortcut cache: nothing is placed in the
cache unless it meets certain restrictions (not dynamically generated, not
access protected, not negotiated, etc.). In the QSK, if a request comes in and
it meets certain criterion and a search of the URI cache yields a hit, then by
definition it is okay to serve up the content.  I am working on a variation of
the QSK for use by this hook.

The other use I can envision is to delegate authority to serve request out of
a particular URI space (say URI = /www/servlets/*) to a quick_handler
implemented by a module that intercepts requests for a servlet engine (e.g.
Tomcat). The servlet engines that I am aware of (including Tomcat) have their
own access control and do not use Apache's access control. Using the
quick_handler, it would be simple to quickly route dynamic requests generated
by servlets to Tomcat but serve the static content out of a cache or the file
system.

It would almost certainly be a serious mistake to try to serve content out
directly out of the file system from a quick_handler.

Bill



Mime
View raw message