Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 61255 invoked from network); 6 Aug 2010 08:46:22 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 6 Aug 2010 08:46:22 -0000 Received: (qmail 779 invoked by uid 500); 6 Aug 2010 08:46:21 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 240 invoked by uid 500); 6 Aug 2010 08:46:18 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 232 invoked by uid 99); 6 Aug 2010 08:46:17 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Aug 2010 08:46:17 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [80.229.52.226] (HELO freya.local) (80.229.52.226) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Aug 2010 08:46:11 +0000 Received: from [127.0.0.1] (localhost [127.0.0.1]) by freya.local (Postfix) with ESMTP id 87137224140 for ; Fri, 6 Aug 2010 09:45:49 +0100 (BST) Subject: Fwd: Untainting an incoming request References: <59E32A94-4045-457E-B372-6DA44F1692AD@webthing.com> From: Nick Kew Content-Type: text/plain; charset=us-ascii Message-Id: <003CC6F9-D8A9-4648-B93B-BF1ECB1338F6@webthing.com> Date: Fri, 6 Aug 2010 09:45:49 +0100 To: dev@httpd.apache.org Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Apple Message framework v1081) X-Mailer: Apple Mail (2.1081) X-Virus-Checked: Checked by ClamAV on apache.org This (among others) seems to have got lost in the ether. Dan, I did reply to your comments :) Begin forwarded message: > From: Nick Kew > Date: 28 July 2010 23:38:10 GMT+01:00 > To: dev@httpd.apache.org > Subject: Re: Untainting an incoming request >=20 >=20 > On 28 Jul 2010, at 13:13, Dan Poirier wrote: >=20 >> Example usage? >>=20 >> Just to better understand the scope, can this do things that one >> couldn't do (however painfully) with mod_rewrite? >=20 > Very likely not (that's not the purpose of it). Complexity - and = hence > a mod_rewrite-based alternative - is the enemy of security. Merging > duplicate request headers is a simplicity feature that would not sit > so well in mod_rewrite, and without it we have huge complexity in > devising untainting rules! >=20 > I did indeed contemplate implementing the function with an "untaint" = directive=20 > in mod_rewrite, that would translate to a RewriteCond+RewriteRule = pair. > But that's asking for trouble: giving every future tweak to = mod_rewrite > potential to impact on or break a security feature. >=20 > --=20 > Nick Kew