httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <...@covalent.net>
Subject Re: cvs commit: httpd-2.0/server config.c
Date Tue, 27 Mar 2001 21:46:46 GMT
On Tue, 27 Mar 2001, Bill Stoddard wrote:

> > Isn't this a huge security whole?  You have basically allowed somebody to
> > server information off a web server without even checking for
> > authentication.
>
> It is up to the module author using the quick_handler hook to do the right
> thing.  Consider Mike Abbott's quick shortcut cache: nothing is placed in the
> cache unless it meets certain restrictions (not dynamically generated, not
> access protected, not negotiated, etc.). In the QSK, if a request comes in and
> it meets certain criterion and a search of the URI cache yields a hit, then by
> definition it is okay to serve up the content.  I am working on a variation of
> the QSK for use by this hook.

IMO, this is the wrong way to cache things.  You are asking for trouble.
The better way to cache, is to determine which hooks were actually used by
a given request, and only call those hooks that are required.  That way,
the cache is useful for all requests, and we retain security.

So, basically we have just implemented an entire hook for one use case?
What does this do to requests that don't use this hook.

> The other use I can envision is to delegate authority to serve request out of
> a particular URI space (say URI = /www/servlets/*) to a quick_handler
> implemented by a module that intercepts requests for a servlet engine (e.g.
> Tomcat). The servlet engines that I am aware of (including Tomcat) have their
> own access control and do not use Apache's access control. Using the
> quick_handler, it would be simple to quickly route dynamic requests generated
> by servlets to Tomcat but serve the static content out of a cache or the file
> system.

Servlet engines allow one or the other.  Most servlet engines will let you
use Apache's auth stuff if you want to.  This hook also bypasses the
translate_name hook and fixups, so I am relatively sure that just sending
data to the servlet engine is a bad idea.

You have also completely by-passed the insert_filters phase, which means
that anything that is in the cache won't have any filters associated with
it.  I have a simple module that adds header/footer information, using a
filter.  Anything served out of the cache will miss that information.
Unless, you are assuming that the cache will automagically take care of
filter assignment, which is not a simple thing to deal with.

> It would almost certainly be a serious mistake to try to serve content out
> directly out of the file system from a quick_handler.

That bothers me.  Saying that we have a way to send data that should
not be used off the FS seems a bit hokey to me.

This hook should also live entirely within the http module currently.  I
am 99% sure that this is a horrible thing to have for 99% of the other
protocols out there.

Ryan
_______________________________________________________________________________
Ryan Bloom                        	rbb@apache.org
406 29th St.
San Francisco, CA 94131
-------------------------------------------------------------------------------



Mime
View raw message