httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: [Vote] .htaccess logic abuse
Date Fri, 18 Nov 2011 23:46:14 GMT
On 19 Nov 2011, at 12:38 AM, William A. Rowe Jr. wrote:

> After several prods, it seems the security@ and hackathon participants
> can't be drawn out of their shells on to dev@.  So I'll simply call  
> for
> a majority vote on the following statement...
> Resource abuse of an .htaccess config in the form of cpu/memory/ 
> bandwidth;
>  [X]  Represents a security defect
>  [ ]  Is not a security defect

The config is clearly demarcated into two types, a "trusted" config  
loaded at startup time rooted at /etc/httpd (or wherever), and a  
limited "untrusted" config placed into .htaccess files within the  
content and loaded at runtime. If we were to declare .htaccess as  
containing "trusted" content only, most of the point behind .htaccess  
is lost. The trusted admin simply needs to merge .htaccess into the  
main config, and he gains load-on-startup and copy-on-write, there is  
little point in one common administrator scattering their config in  
two separate places or mechanisms.

The people given the power to change both .htaccess and content are  
typically customers of a hosting company, or employees at a corporate,  
and admins are generally not comfortable exposing themselves to  
avoidable risk from either group. That said, I do concede that these  
two groups are more trusted than the typical end user who might access  
a site, but I still believe we should fix .htaccess problems as  
reported where it is practical to do so to bring the risk as low as is  


View raw message