httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: [Vote] .htaccess logic abuse
Date Mon, 21 Nov 2011 09:37:28 GMT
 

> -----Original Message-----
> From: Stefan Fritsch [mailto:sf@sfritsch.de] 
> Sent: Samstag, 19. November 2011 03:37
> To: dev@httpd.apache.org
> Subject: Re: [Vote] .htaccess logic abuse
> 
> On Friday 18 November 2011, William A. Rowe Jr. wrote:
> > Resource abuse of an .htaccess config in the form of
> > cpu/memory/bandwidth;
> > 
> >    [ ]  Represents a security defect
> >    [X]  Is not a security defect
> > 
> > This would obviously need to be clarified in the associated
> > .htaccess documentation, be associated with an advisory and affect
> > the conclusion of several recent defect reports, both embargoed
> > and discussed plainly here on this list.
> 
> We should not make any promises we won't be able to keep. There are 
> countless ways to cause a DoS from .htaccess. The .htaccess mechanism 
> has not been designed with resource limitation in mind. Changing that 
> will be a lot of work and will likely break ABI/API, i.e. the fixes 
> won't be backportable to stable releases. We should treat 
> those issues 
> as regular bugs and make DoS safe .htaccess a goal. But we 
> should make 
> it clear that this goal likely won't be reached in 2.4.x and earlier.
> 
> 

+1. Well put.

Regards

Rüdiger

Mime
View raw message