httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noel Butler <>
Subject Re: [Vote] .htaccess logic abuse
Date Sat, 19 Nov 2011 00:07:55 GMT
On Sat, 2011-11-19 at 01:46 +0200, Graham Leggett wrote:

> On 19 Nov 2011, at 12:38 AM, William A. Rowe Jr. wrote:
> > After several prods, it seems the security@ and hackathon participants
> > can't be drawn out of their shells on to dev@.  So I'll simply call  
> > for
> > a majority vote on the following statement...
> >
> > Resource abuse of an .htaccess config in the form of cpu/memory/ 
> > bandwidth;
> >
> >  [X]  Represents a security defect
> >  [ ]  Is not a security defect
> The config is clearly demarcated into two types, a "trusted" config  
> loaded at startup time rooted at /etc/httpd (or wherever), and a  
> limited "untrusted" config placed into .htaccess files within the  
> content and loaded at runtime. If we were to declare .htaccess as  
> containing "trusted" content only, most of the point behind .htaccess  
> is lost. The trusted admin simply needs to merge .htaccess into the  
> main config, and he gains load-on-startup and copy-on-write, there is  
> little point in one common administrator scattering their config in  
> two separate places or mechanisms.
> The people given the power to change both .htaccess and content are  
> typically customers of a hosting company, or employees at a corporate,  
> and admins are generally not comfortable exposing themselves to  
> avoidable risk from either group. That said, I do concede that these  
> two groups are more trusted than the typical end user who might access  
> a site, but I still believe we should fix .htaccess problems as  
> reported where it is practical to do so to bring the risk as low as is  
> practical.

Agree completely with Graham

View raw message