httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodent of Unusual Size <Ken.C...@Golux.Com>
Subject Re: quick_handler hook is completely bogus.
Date Tue, 30 Jul 2002 20:14:59 GMT
Ryan Bloom wrote:
> 
> 1)  If I have a page that I have served and it gets put in the cache,
> then it will be served out of the quick_handler phase.  However, if I
> then add or modify a .htaccess file to deny access to that page,
> then my changes won't be honored until the page expires from the
> cache.  This is a security hole, because I don't know of anyway to
> invalidate cached pages.  (This one if from a conversation with
> wrowe).  [ I guess it might be possible to clear the cache with a
> graceful restart. ]

How does this differ from the document being cached anywhere
else?  Such as in squid, or a proxy, or the client's cache?  Depending
upon the cache-control fields in the original response header,
the cache engine may not even do a conditional GET.

(Not trying to be obstreperous; asking a serious question.)

> 2)  If I have a page that uses access checking to ensure that only
> certain people can request the page, the cache_filter will put it
> in the quick handler.

I thought the caching modules didn't cache anything that required
either access or auth/authz checking.  FirstBill?

> 3)  It isn't possible for a module author to circumvent the
> quick_handler phase.  If I write a module that doesn't want to
> allow the quick_handler phase, for security reasons, I can't
> enforce it.

How can a module author disallow *any* phase?  That's a core
function, not up to modules to decide..
-- 
#ken	P-)}

Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
Author, developer, opinionist      http://Apache-Server.Com/

"Millennium hand and shrimp!"

Mime
View raw message