httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch>
Subject Re: mod_include and ap_expr
Date Sun, 15 May 2011 13:18:41 GMT
On Sun, 15 May 2011, Graham Leggett wrote:
>> Do you think that untrusted shmtl files are not a common use case? In that 
>> case I would tend to the "people can always switch back to the old 
>> restricted expression syntax" solution.
> I don't follow what you mean by "untrusted shtml files"?

shtml files that are writable by users who are not allowed to read all 
files that httpd may have access to. .htaccess files have similar issues.

> What the -A option does is say "if this particular request for this URL would 
> succeed should this particular user attempt to access this particular URL 
> directly, then show this data". Or in English, you would use the -A option 
> within a page to show or hide links to something in a page depending on 
> whether that person has access to that link.

Maybe the -A option was a bad example, then, because it allows only 
access to resources that can be viewed directly, too. But ap_expr would 
allow things like

<!--#if expr="file('/etc/passwd') =~ /.../" >

This only allows to leak one bit of the file contents per request, but if 
used often enough, it could be used to reconstruct the whole file. For 
.htaccess, this is not a new problem (see SSLRequire), but for shtml 
files, it would be.

View raw message