httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject Re: [RFC] A new hook: invoke_handler and web-application security
Date Wed, 08 Apr 2009 08:09:14 GMT

On 8 Apr 2009, at 08:32, Joe Orton wrote:

> So I'm not sure that it's worthwhile.  Having said that, it seems a  
> lot
> more worthwhile than the mod_privileges approach in the trunk, which
> seems to claim it is secure so long as you don't execute untrusted  
> code,
> so I'm not sure what threat model that addresses at all.

That's untrusted, privileges-aware code.
Use case: mod_php, whose safe_mode prevents loading such code.

Nick Kew

View raw message