httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject Untainting an incoming request
Date Wed, 28 Jul 2010 01:46:35 GMT
I've just hacked up a module to perform simple security checks on
an incoming request.  Loosely inspired by Perl's untainting.

It implements untainting rules.  Each rule matches a request attribute
to a regexp, and can either:
  (a) enforce a match, and return an error (default: 400) if it doesn't match.
  (b) untaint a request attribute Perl-style

It supports untainting components of the request line, and any request header.
TODO: support untainting of parsed query args.
No plans for anything more ambitious like checking POST data (use mod_security).

Drop it in to trunk?

Nick Kew
View raw message