httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject New module mod_allowhandlers / Controlling script execution
Date Sat, 21 Apr 2012 19:48:07 GMT
Hi,

there is the problem that if modules like mod_status or 
mod_proxy_balancer are loaded, all people with permissions to create 
.httaccess files can use the status pages by using SetHandler in an 
.htaccess file.

I had the idea to create a module like mod_allowmethods, but for 
handlers, that allows to restrict which handlers can be used in 
particular locations. The following config would e.g. prevent 
mod_userdir users from enabling the status pages in their home 
directory:

<Location />
  AllowHandlers not server-info server-status balancer-manager
</Location>

<Location /server-status>
  AllowHandlers all
  SetHandler server-status
</Location>

PoC implementation is at 
http://people.apache.org/~sf/mod_allowhandlers.c . Any objections 
against committing this to trunk?

It does it checks at the end of the fixup hook. This catches all the 
common ways to set a handler, but of course it is possible that some 
modules may bypass that check (e.g. by changing the handler in an 
early handler hook). But IMHO this could be solved by documentation.

The config syntax can probably be improved. Specifying a white-list is 
not that easy, because by default every file will have its mime-type 
as handler name. Maybe it needs some pattern or regex matching. Any 
better ideas?

Another idea where this could be handy: To deny script execution in 
some directories. Currently one needs to have a bunch of RemoveHandler 
and RemoveType statements for various modules (e.g. application/x-
httpd-php, lua-script). If AllowHandlers allowed to define list 
aliases, one could maybe disable them all with a simple command:

AllowHandlers not SCRIPTING

If every scripting module registered its active handler(s) with 
mod_allowhandlers, there would even be no need for defining the alias 
manually.


Or would it be a better idea to introduce a new "Options ExecScripts" 
flag and ask all scripting modules to honor that? Or just recommend 
that they use ExecCGI? 

Cheers,
Stefan

Mime
View raw message