httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: New module mod_allowhandlers / Controlling script execution
Date Sat, 21 Apr 2012 20:10:07 GMT
On Sat, Apr 21, 2012 at 3:48 PM, Stefan Fritsch <sf@sfritsch.de> wrote:
> Hi,
>
> there is the problem that if modules like mod_status or
> mod_proxy_balancer are loaded, all people with permissions to create
> .httaccess files can use the status pages by using SetHandler in an
> .htaccess file.

My 2 cents:

SetHandler shouldn't be used to enable these because it requires an
unnecessary filesystem walk and only requires a very small amount of
code to implement a flag directive.  Having ServerStatus On|Off
anywhere in the configuration would disable the check for r->handler
== "status-handler" (migration).

Is the use of handler by these a feature though, such as needing to
let other modules generate these reports by some mechanism other than
using a subrequest for or redirecting to the location where it is
enabled?  I don't know how smooth mod_allowhandler would be for that
anyway.

There are other situations where mod_allowhandlers would be helpful,
but I think we could provide a simpler mechanism (flag) for the
several sensitive handlers in bundled modules.

>
> I had the idea to create a module like mod_allowmethods, but for
> handlers, that allows to restrict which handlers can be used in
> particular locations. The following config would e.g. prevent
> mod_userdir users from enabling the status pages in their home
> directory:
>
> <Location />
>  AllowHandlers not server-info server-status balancer-manager
> </Location>
>
> <Location /server-status>
>  AllowHandlers all
>  SetHandler server-status
> </Location>
>
> PoC implementation is at
> http://people.apache.org/~sf/mod_allowhandlers.c . Any objections
> against committing this to trunk?
>
> It does it checks at the end of the fixup hook. This catches all the
> common ways to set a handler, but of course it is possible that some
> modules may bypass that check (e.g. by changing the handler in an
> early handler hook). But IMHO this could be solved by documentation.
>
> The config syntax can probably be improved. Specifying a white-list is
> not that easy, because by default every file will have its mime-type
> as handler name. Maybe it needs some pattern or regex matching. Any
> better ideas?
>
> Another idea where this could be handy: To deny script execution in
> some directories. Currently one needs to have a bunch of RemoveHandler
> and RemoveType statements for various modules (e.g. application/x-
> httpd-php, lua-script). If AllowHandlers allowed to define list
> aliases, one could maybe disable them all with a simple command:
>
> AllowHandlers not SCRIPTING
>
> If every scripting module registered its active handler(s) with
> mod_allowhandlers, there would even be no need for defining the alias
> manually.
>
>
> Or would it be a better idea to introduce a new "Options ExecScripts"
> flag and ask all scripting modules to honor that? Or just recommend
> that they use ExecCGI?
>
> Cheers,
> Stefan



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message