httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan Bloom" <>
Subject RE: quick_handler hook is completely bogus.
Date Tue, 30 Jul 2002 20:13:42 GMT
> > 1)  If I have a page that I have served and it gets put in the
> > then it will be served out of the quick_handler phase.  However, if
> > then add or modify a .htaccess file to deny access to that page,
> > then my changes won't be honored until the page expires from the
> > cache.  This is a security hole, because I don't know of anyway to
> > invalidate cached pages.  (This one if from a conversation with
> > wrowe).  [ I guess it might be possible to clear the cache with a
> > graceful restart. ]
> How does this differ from the document being cached anywhere
> else?  Such as in squid, or a proxy, or the client's cache?  Depending
> upon the cache-control fields in the original response header,
> the cache engine may not even do a conditional GET.

I can accept that argument.  Although, from a user's point of view, I
would consider them different specifically because in the cache module,
everything required to serve the page is in the same place.

> > 2)  If I have a page that uses access checking to ensure that only
> > certain people can request the page, the cache_filter will put it
> > in the quick handler.
> I thought the caching modules didn't cache anything that required
> either access or auth/authz checking.  FirstBill?

I read through the code, and I see where the auth/authz decision is
made.  However, I can't see where the access control decision is made.
If it is there, then I would be more than happy to remove this issue.

> > 3)  It isn't possible for a module author to circumvent the
> > quick_handler phase.  If I write a module that doesn't want to
> > allow the quick_handler phase, for security reasons, I can't
> > enforce it.
> How can a module author disallow *any* phase?  That's a core
> function, not up to modules to decide..

In every other hook in the server, I can generally return some value
that makes the phase stop processing, while allowing the request to
finish.  For many phases, that code is DONE, for others it is OK or
DECLINED.  With quick_handler, there is nothing I can do.


View raw message