httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: proxy + SetOutputFilter
Date Sun, 19 Aug 2001 20:09:02 GMT
On Sun, 19 Aug 2001, Rasmus Lerdorf wrote:

> > proxy requests for *.shtml will get run through mod_include, but of course
> > there won't be anything for mod_include to replace.
> Well, there could be.  The upstream mod_include could execute something
> that generates output that includes mod_include tags.

...which obviously can be a security problem.

> > but a *.html or *.jpg or similar filter might want to filter proxy
> > requests.  i'm wondering if this should be up to the module to decide or
> > the user to decide with new configuration directive?
> I think the module should have the ability to decide this.

...but we need to think very carefully about what the defaults are and how
to make it so that "naive" configurations on the part of the user (and
naive filters) will not introduce any security issues.

Configuration of when filters are and are not applied, and making sure
they are not applied in cases where such application would be
unintentional, is a very important security issue, since there is a huge
risk for all sorts of undesirable things if done wrong... 

View raw message