httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <>
Subject Re: cvs commit: httpd-2.0/server config.c
Date Tue, 27 Mar 2001 23:54:22 GMT
I'll throw in a -0 on the quick handler thing. It seems just a little too
shaky, and too easily abused.


On Tue, Mar 27, 2001 at 01:46:46PM -0800, wrote:
> On Tue, 27 Mar 2001, Bill Stoddard wrote:
> > > Isn't this a huge security whole?  You have basically allowed somebody to
> > > server information off a web server without even checking for
> > > authentication.
> >
> > It is up to the module author using the quick_handler hook to do the right
> > thing.  Consider Mike Abbott's quick shortcut cache: nothing is placed in the
> > cache unless it meets certain restrictions (not dynamically generated, not
> > access protected, not negotiated, etc.). In the QSK, if a request comes in and
> > it meets certain criterion and a search of the URI cache yields a hit, then by
> > definition it is okay to serve up the content.  I am working on a variation of
> > the QSK for use by this hook.
> IMO, this is the wrong way to cache things.  You are asking for trouble.
> The better way to cache, is to determine which hooks were actually used by
> a given request, and only call those hooks that are required.  That way,
> the cache is useful for all requests, and we retain security.
> So, basically we have just implemented an entire hook for one use case?
> What does this do to requests that don't use this hook.
> > The other use I can envision is to delegate authority to serve request out of
> > a particular URI space (say URI = /www/servlets/*) to a quick_handler
> > implemented by a module that intercepts requests for a servlet engine (e.g.
> > Tomcat). The servlet engines that I am aware of (including Tomcat) have their
> > own access control and do not use Apache's access control. Using the
> > quick_handler, it would be simple to quickly route dynamic requests generated
> > by servlets to Tomcat but serve the static content out of a cache or the file
> > system.
> Servlet engines allow one or the other.  Most servlet engines will let you
> use Apache's auth stuff if you want to.  This hook also bypasses the
> translate_name hook and fixups, so I am relatively sure that just sending
> data to the servlet engine is a bad idea.
> You have also completely by-passed the insert_filters phase, which means
> that anything that is in the cache won't have any filters associated with
> it.  I have a simple module that adds header/footer information, using a
> filter.  Anything served out of the cache will miss that information.
> Unless, you are assuming that the cache will automagically take care of
> filter assignment, which is not a simple thing to deal with.
> > It would almost certainly be a serious mistake to try to serve content out
> > directly out of the file system from a quick_handler.
> That bothers me.  Saying that we have a way to send data that should
> not be used off the FS seems a bit hokey to me.
> This hook should also live entirely within the http module currently.  I
> am 99% sure that this is a horrible thing to have for 99% of the other
> protocols out there.
> Ryan
> _______________________________________________________________________________
> Ryan Bloom               
> 406 29th St.
> San Francisco, CA 94131
> -------------------------------------------------------------------------------

Greg Stein,

View raw message