httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: Includes vs IncludesNoExec security issue - help needed
Date Tue, 28 Apr 2009 13:48:52 GMT
Thanks for all the feedback so far.  I've added in tests of combinations 
using negative options in .htaccess, bringing the test matrix to a 
glorious size of 3 x 4 x 10 = 120 entries: this page gives before/after 
results with 2.2.x vanilla and the patch I posted previously:

  http://people.apache.org/~jorton/ssi-exec/t3-jorton-v1.html

1) w.r.t. to the combination: "Options Includes" in httpd.conf, with 
"Options -Includes +IncludesNoExec" in .htaccess:

yes, that seems to do the right thing in all cases; allow SSI with no 
exec= - see test #107.  That doesn't happen currently in all 
AllowOverride cases, see e.g. #67 and #97.

2) Jon asked off-list whether negative options should be permitted in 
.htaccess regardless of the AllowOverride mask.  I'm not sure about this 
and would rather avoid changing that now.

3) Yes, the test results I've posted above are using the patch I posted 
to security@ unchanged.

4) w.r.t. 2.0/1.3 behaviour.  2.0/1.3 don't have per-Option 
AllowOverrides logic, so, none of this is relevant as far as I can tell; 
there's no security issue at least.

5) I'll post an updated patch soon which fixes the behaviour of "Options 
Includes"/"Options +IncludesNoExec" such that SSI is permitted without 
exec, as is the current 2.2.x behaviour, since that seems to be the 
rough consensus.  Jon also spotted a minor logic flaw in the patch which 
I'll fix too.

I think that's everything.

Regards, Joe

Mime
View raw message