httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch>
Subject Re: New module mod_allowhandlers / Controlling script execution
Date Tue, 06 Nov 2012 08:44:48 GMT

On Sat, 21 Apr 2012, Jeff Trawick wrote:
>> there is the problem that if modules like mod_status or
>> mod_proxy_balancer are loaded, all people with permissions to create
>> .httaccess files can use the status pages by using SetHandler in an
>> .htaccess file.
> My 2 cents:
> SetHandler shouldn't be used to enable these because it requires an
> unnecessary filesystem walk and only requires a very small amount of
> code to implement a flag directive.  Having ServerStatus On|Off
> anywhere in the configuration would disable the check for r->handler
> == "status-handler" (migration).

I must admit that I haven't looked into why they use the handler for 
configuration. But my feeling is that we won't get rid of modules doing 
it this in the forseeable future.

> Is the use of handler by these a feature though, such as needing to
> let other modules generate these reports by some mechanism other than
> using a subrequest for or redirecting to the location where it is
> enabled?  I don't know how smooth mod_allowhandler would be for that
> anyway.

It does the checks at the end of the fixup hook, which seems to work with 
the setups I could think of. But more testing is needed, of course.

> There are other situations where mod_allowhandlers would be helpful,
> but I think we could provide a simpler mechanism (flag) for the
> several sensitive handlers in bundled modules.

I think having it in trunk would be nice to find problems with this 
approach. Unless someone disagrees, I am going to commit it. Backport to 
2.4 can wait until we are sure that it is a good solution.


View raw message