httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: New module mod_allowhandlers / Controlling script execution
Date Sat, 21 Apr 2012 20:10:07 GMT
On Sat, Apr 21, 2012 at 3:48 PM, Stefan Fritsch <> wrote:
> Hi,
> there is the problem that if modules like mod_status or
> mod_proxy_balancer are loaded, all people with permissions to create
> .httaccess files can use the status pages by using SetHandler in an
> .htaccess file.

My 2 cents:

SetHandler shouldn't be used to enable these because it requires an
unnecessary filesystem walk and only requires a very small amount of
code to implement a flag directive.  Having ServerStatus On|Off
anywhere in the configuration would disable the check for r->handler
== "status-handler" (migration).

Is the use of handler by these a feature though, such as needing to
let other modules generate these reports by some mechanism other than
using a subrequest for or redirecting to the location where it is
enabled?  I don't know how smooth mod_allowhandler would be for that

There are other situations where mod_allowhandlers would be helpful,
but I think we could provide a simpler mechanism (flag) for the
several sensitive handlers in bundled modules.

> I had the idea to create a module like mod_allowmethods, but for
> handlers, that allows to restrict which handlers can be used in
> particular locations. The following config would e.g. prevent
> mod_userdir users from enabling the status pages in their home
> directory:
> <Location />
>  AllowHandlers not server-info server-status balancer-manager
> </Location>
> <Location /server-status>
>  AllowHandlers all
>  SetHandler server-status
> </Location>
> PoC implementation is at
> . Any objections
> against committing this to trunk?
> It does it checks at the end of the fixup hook. This catches all the
> common ways to set a handler, but of course it is possible that some
> modules may bypass that check (e.g. by changing the handler in an
> early handler hook). But IMHO this could be solved by documentation.
> The config syntax can probably be improved. Specifying a white-list is
> not that easy, because by default every file will have its mime-type
> as handler name. Maybe it needs some pattern or regex matching. Any
> better ideas?
> Another idea where this could be handy: To deny script execution in
> some directories. Currently one needs to have a bunch of RemoveHandler
> and RemoveType statements for various modules (e.g. application/x-
> httpd-php, lua-script). If AllowHandlers allowed to define list
> aliases, one could maybe disable them all with a simple command:
> AllowHandlers not SCRIPTING
> If every scripting module registered its active handler(s) with
> mod_allowhandlers, there would even be no need for defining the alias
> manually.
> Or would it be a better idea to introduce a new "Options ExecScripts"
> flag and ask all scripting modules to honor that? Or just recommend
> that they use ExecCGI?
> Cheers,
> Stefan

Born in Roswell... married an alien...

View raw message