On 15 May 2011, at 3:18 PM, Stefan Fritsch wrote:
> Maybe the -A option was a bad example, then, because it allows only
> access to resources that can be viewed directly, too. But ap_expr
> would allow things like
>
> <!--#if expr="file('/etc/passwd') =~ /.../" >
>
> This only allows to leak one bit of the file contents per request,
> but if used often enough, it could be used to reconstruct the whole
> file. For .htaccess, this is not a new problem (see SSLRequire), but
> for shtml files, it would be.
Hmmm...
In the mod_include case, having file() without having the file going
through the normal httpd subrequest mechanism to determine whether the
user has access to the file is indeed a security problem. The simplest
would be to perhaps define a "restricted mode" for ap_expr, which
disallowed certain dangerous functions.
You would enable restricted mode if you were parsing shtml,
or .htaccess, but leave restricted mode disabled otherwise. Does that
sound sensible?
Regards,
Graham
--
|