httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steinar H. Gunderson" <>
Subject Re: mpm-itk and upstream Apache, once again
Date Fri, 20 Jul 2012 22:11:37 GMT
On Thu, Jul 19, 2012 at 05:26:23PM +0100, Nick Kew wrote:
> How does it protect against such potential attacks as running an
> external program as root through a RewriteMap running earlier
> than the directory walk?

By the way, I actually tried this under prefork. I compiled httpd-2.4.2
with prefork and the following configuration in a vhost:

  RewriteEngine on
  Rewritemap examplemap prg:/home/sesse/
  RewriteRule /invalid %{examplemap:$1}

and lo and behold, is started as root. mod_rewrite seems to open
the map programs already when parsing the configuration file, which is before
the MPMs' hooks run (and that's when prefork drops its privileges).

/* Steinar */

View raw message