httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: how to avoid balancer manager nonce?
Date Sat, 08 Sep 2012 15:25:30 GMT
CSRF against balancer_manager... Looks like jorton himself
was the person who first referenced and defined it as a nonce.

On Sep 5, 2012, at 7:08 AM, Ben Laurie <ben@links.org> wrote:

> On Wed, Sep 5, 2012 at 11:57 AM, Jim Jagielski <jim@jagunet.com> wrote:
>> FWIW, I have time this week to impl this...
>> 
>> Feedback/Concerns?
> 
> I still want to know what the "nonce" is actually for! Are you going
> to make me read the code and guess?
> 
>> 
>> On Sep 1, 2012, at 11:47 AM, Jim Jagielski <jim@jaguNET.com> wrote:
>> 
>>> Another alternative would be to have the nonce also possibly
>>> set at config-time and, if unset, then use the uuid. That way
>>> it could also be used as a sort of shared-secret ;)
>>> 
>>>      ProxySet nonce="applepie!"
>>> 
>>> Longer term, I think that's a more "strategic" solution.
>>> 
>>> On Aug 31, 2012, at 2:14 PM, Stefan Fritsch <sf@sfritsch.de> wrote:
>>> 
>>>> On Friday 31 August 2012, Eric Covener wrote:
>>>>> I'm fighting a problem on new releases of AIX where in some
>>>>> environments, /dev/random seems to run out of entropy way too
>>>>> quick.
>>>>> 
>>>>> I'd like a way to suppress the apr_uuid_get->
>>>>> apr_generate_random_bytes() in mod_proxy_balancer used for the
>>>>> balancer-manager nonce in affected environments.
>>>>> 
>>>>> I was thinking a global "BalancerManager off" could be used for
>>>>> this and would also have the upside of fixing the SetHandler
>>>>> htaccess problem.
>>>>> 
>>>>> Alternatives would be to find a weaker source for the nonce, or
>>>>> allow tto opt out / use a hard-coded one.
>>>>> 
>>>>> Any suggestions?
>>>> 
>>>> For 2.4, you could use ap_random_insecure_bytes(). It should be good
>>>> enough for a nonce.
>>>> 
>>>> If you add a "BalancerManager off", it should be per directory, or at
>>>> least per vhost. Otherwise it would not help that much with the
>>>> SetHandler htaccess problem.
>>>> 
>>> 
>> 
> 


Mime
View raw message