httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: New module mod_allowhandlers / Controlling script execution
Date Wed, 07 Nov 2012 10:17:26 GMT
On Tuesday, November 6, 2012, Stefan Fritsch wrote:

> Hi,
>
> On Sat, 21 Apr 2012, Jeff Trawick wrote:
>
>> there is the problem that if modules like mod_status or
>>> mod_proxy_balancer are loaded, all people with permissions to create
>>> .httaccess files can use the status pages by using SetHandler in an
>>> .htaccess file.
>>>
>>
>> My 2 cents:
>>
>> SetHandler shouldn't be used to enable these because it requires an
>> unnecessary filesystem walk and only requires a very small amount of
>> code to implement a flag directive.  Having ServerStatus On|Off
>> anywhere in the configuration would disable the check for r->handler
>> == "status-handler" (migration).
>>
>
> I must admit that I haven't looked into why they use the handler for
> configuration. But my feeling is that we won't get rid of modules doing it
> this in the forseeable future.
>
>  Is the use of handler by these a feature though, such as needing to
>> let other modules generate these reports by some mechanism other than
>> using a subrequest for or redirecting to the location where it is
>> enabled?  I don't know how smooth mod_allowhandler would be for that
>> anyway.
>>
>
> It does the checks at the end of the fixup hook, which seems to work with
> the setups I could think of. But more testing is needed, of course.
>
>  There are other situations where mod_allowhandlers would be helpful,
>> but I think we could provide a simpler mechanism (flag) for the
>> several sensitive handlers in bundled modules.
>>
>
> I think having it in trunk would be nice to find problems with this
> approach. Unless someone disagrees, I am going to commit it. Backport to
> 2.4 can wait until we are sure that it is a good solution.


+1


>
> Cheers,
> Stefan
>


-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message