httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Hooks into request creation?
Date Thu, 23 Nov 2006 14:36:28 GMT
I've been contemplating something like a mod_taint, to apply rules akin
to Perl's taint checking, at the earliest possible stage of request
processing.  In other words, apply taint checking to the request line
as we read it, and to each header line before putting it in
r->headers_in.

That would work with hooks from read_request_line and
ap_get_mime_headers_core.  No such hooks exist, and adding them
for this purpose alone might seem OTT.

Now, there could be another consideration here.  This is HTTP-specific
code in the core, which is at odds with the stated aspiration of being
protocol-agnostic.  Inserting hooks at these points could, in due
course (e.g. for 2.4) enable us to punt this HTTP-specific code to
a protocol module.

The crucial question here is: can this path lead cleanly to overall
protocol-agnosticism?  Thoughts?

Of course, the alternative for mod_taint is a post_read_request hook.
It doesn't fit anywhere in the filter chain, because low-level decoding
of folded lines and converting them into a headers_in table happens
in a single step.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Mime
View raw message