httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Poirier <>
Subject Re: server-status-handler information leak
Date Mon, 21 Jun 2010 01:29:15 GMT
On 2010-06-11 at 08:39, Volker <> wrote:

> Hi,
> while playing around with handlers, i noticed, that any user can
> register the 'server-status'-handler by putting
> SetHandler server-status
> in an htacces-File. This can not be prevented by using a alternating
> AllowOverride-directives, since 'SetHandler' is part of 'FileInfo' which
> also holds ErrorDocuments, mod_rewrite, etc.
> Since the server-status-handler offers information one might not want
> others to have access to (for example a massive shared hosting
> environment), i created a small patch that enables a custom handlername
> for the server-status-module. Just thought someone else might have use
> for it.
> What this patch does:
> - reserves memory for directive with parameter (AP_INIT_TAKE1)
> - adds a function for creating config-records (create_modstatus_config)
> - adds a function to set the handlername (set_serverstatus_handler_name)
> If the handlername is not set using the directive, it defaults to the
> old 'server-status' and continues to work with the old setting.


> Any comments, suggestions, improvements and/or critical comments are
> welcome.

Thanks for the problem report and patch.  Since it doesn't seem that
anyone has responded yet (unless I missed it), I suggest that you open a
bug report and attach your patch there so it's not forgotten.

I keep thinking there ought to be a better solution for this, but I
can't think of one so far.


View raw message