httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm MacCarthaigh <c...@stdlib.net>
Subject Re: [vote] 2.1.9 as beta
Date Wed, 02 Nov 2005 20:01:14 GMT
On Wed, Nov 02, 2005 at 08:41:18PM +0100, Ruediger Pluem wrote:
> I do not regard this as a showstopper since we only have an admittedly
> serious security problem in a *specific* configuration. I think it is
> enough to add a big warning to the mod_cache documentation that
> protecting cached resources with mod_authz_host does not work as
> expected. There are many ways to create an insecure configuration if
> you do not take care, so this warning should be enough.  Even more as
> caching seems to me some sort of advanced configuration anyway that
> will mostly be done by more experienced people.

I think the text "Deny from all" is a particularly dangerous thing to
have not work as advertised! No matter how well documented :/

> Just for my remembrance: This was the quick_handler vs. handler issue,
> correct?  Who actually vetoes this fix? As far as I remember the fix
> made it configurable where to run the cache handler (quick_handler /
> handler), right?

Yes, basically the map to storage hook needs to be run before mod_cache
makes the decision to serve the content. Coming before the
map_to_storage hook is the real main difference between a quickhandler
and an ordinary handler, so inserting this hook into mod_cache itself
makes little sense. 

Additionally for a pure proxy environment we don't need the overhead of
the map to storage hook, it's only for local content that it matters in
this way. 

> > prior to GA.
> 
> If we remove it before GA no one can use it and it would be a large
> step backward as

It'd be awful!

> If we leave it in we only have a subgroup of users who cannot use it.
> What is more important from my point of view is that we return to a
> discussion how to solve this problem and solve the technical concerns
> expressed in the veto of the fix.

The patch that's vetoed is at:

http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=111597814015667&w=2

And the concerns at:

http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=111600137824345&w=2

In an ideal world, I agree with Bills line of reasoning there (though
that's a slightly different problem in the actual thread), the best w ay
to solve this would be to have mod_authz_host "detect" that the rule for
the content being served would always be "Allow from all" - so it's safe
to cache. 

But doing that is very impractical, because even if we could traverse
the entire tree of possible allow/deny directives, and then decided it
was cacheable, the admin might then add a "Deny". This would silently
take no effect until the entity expired from the cache, which is the
original problem all over again :/

-- 
Colm MacCárthaigh                        Public Key: colm+pgp@stdlib.net

Mime
View raw message