httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: mod_include and ap_expr
Date Sun, 15 May 2011 14:23:54 GMT
On 15 May 2011, at 3:18 PM, Stefan Fritsch wrote:

> Maybe the -A option was a bad example, then, because it allows only  
> access to resources that can be viewed directly, too. But ap_expr  
> would allow things like
> <!--#if expr="file('/etc/passwd') =~ /.../" >
> This only allows to leak one bit of the file contents per request,  
> but if used often enough, it could be used to reconstruct the whole  
> file. For .htaccess, this is not a new problem (see SSLRequire), but  
> for shtml files, it would be.


In the mod_include case, having file() without having the file going  
through the normal httpd subrequest mechanism to determine whether the  
user has access to the file is indeed a security problem. The simplest  
would be to perhaps define a "restricted mode" for ap_expr, which  
disallowed certain dangerous functions.

You would enable restricted mode if you were parsing shtml,  
or .htaccess, but leave restricted mode disabled otherwise. Does that  
sound sensible?


View raw message