httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Justin Erenkrantz" <jus...@erenkrantz.com>
Subject Re: Workaround (Re: walk caching to avoid extra authnz)
Date Wed, 06 Dec 2006 23:16:34 GMT
On 12/6/06, Nick Kew <nick@webthing.com> wrote:
> A corresponding authz hook will implement a "Require inherit"
> to enable subrequests with "inherited" set to be authorized,
> and will run ahead of "normal" authz hooks.
>
> Would that be a good solution here?

I think you mean that if they have 'require inherit' that they bypass
the authz checks if it's a sub-req. Perhaps, but wow, people could
really bust their authz setups if they have allow /foo and deny
/foo/bar - especially with WebDAV accesses.  I sort of think that
makes it just too easy to shoot themselves in the foot and disclose
something that they didn't intend to do.  Maybe maybe make it "require
inherit-i-know-that-this-is-a-blatant-security-risk" - that might be
better, but still.  =P  -- justin

Mime
View raw message