httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan Bloom" <...@covalent.net>
Subject quick_handler hook is completely bogus.
Date Tue, 30 Jul 2002 19:40:56 GMT

I realize that this is a strong statement, but I believe that I can back
it up.  My reasons for not liking this hook at all:

1)  If I have a page that I have served and it gets put in the cache,
then it will be served out of the quick_handler phase.  However, if I
then add or modify a .htaccess file to deny access to that page, then my
changes won't be honored until the page expires from the cache.  This is
a security hole, because I don't know of anyway to invalidate cached
pages.  (This one if from a conversation with wrowe).  [ I guess it
might be possible to clear the cache with a graceful restart. ]

2)  If I have a page that uses access checking to ensure that only
certain people can request the page, the cache_filter will put it in the
quick handler.  However, the page may not be allowed to people who will
request it from the cache.  I may be wrong about this one, but I see how
the cache disallows pages that require authentication.  I do not see how
it can disallow caching of pages that require access_checking.

3)  It isn't possible for a module author to circumvent the
quick_handler phase.  If I write a module that doesn't want to allow the
quick_handler phase, for security reasons, I can't enforce it.

While I understand that we are giving people a lot of rope and asking
them to use it wisely, this phase gives too much rope, and invites
people to hang themselves.

I believe that this hook should be removed, and all content should be
served out of the handler phase.  If we are looking to remove some
request phases, then we should make it possible to avoid individual
phases when serving requests, not completely skip all of them.

Ryan

----------------------------------------------
Ryan Bloom
rbb@covalent.net           rbb@apache.org



Mime
View raw message