httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Ristic" <>
Subject Re: My hacked mod_xsendfile
Date Mon, 28 Jan 2008 09:35:21 GMT
On Jan 25, 2008 7:55 PM, Akins, Brian <> wrote:
> I started to play with xsendfile more.  I noticed the mod_xsendfile floating
> around tried to basically replace what the default handler does very well.
> Basically, my version does a subrequest for the file.  This allows things
> like "Deny from all", etc, to work.  This should be more secure, ie, if you
> set your deny's correctly, you can't "X-Sendfile: /etc/passwd".  All in all,
> it seems more "httpd"-like, to me.

I am not very familiar with X-Sendfile (as in: I read about it but
never used it), but it sounds like it's breaking the FastCGI security
model. The FastCGI process is likely to be running under a different
account, but here we have a facility that allows that other process to
use the privileges of the Apache user to fetch a file. I can see how
this feature could easily find its way to the list of small tricks
that can be used to compromise a web server installation, one step at
a time.

> It is very rough.  I do not understand brigades enough to know why it is
> chunking every reply in my tests.  I have tested with just a normal cgi
> setting the header.
> Not well tested.  I'd like to see us work toward getting X-sendfile into the
> normal httpd distribution (along with mod_fcgid...)
> --
> Brian Akins
> Chief Operations Engineer
> Turner Digital Media Technologies

Ivan Ristic

View raw message