Return-Path: 
 <dev-return-76296-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-dev-archive@www.apache.org
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 43BF8DF29
	for <apmail-httpd-dev-archive@www.apache.org>;
 Wed,  7 Nov 2012 13:30:43 +0000 (UTC)
Received: (qmail 68525 invoked by uid 500); 7 Nov 2012 13:30:42 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 68148 invoked by uid 500); 7 Nov 2012 13:30:37 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 68106 invoked by uid 99); 7 Nov 2012 13:30:35 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Nov 2012 13:30:35 +0000
X-ASF-Spam-Status: No, hits=-2.3 required=5.0
	tests=RCVD_IN_DNSWL_MED,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy)
Received: from [188.40.99.202] (HELO eru.sfritsch.de) (188.40.99.202)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Nov 2012 13:30:27 +0000
Received: from stf (helo=localhost)
	by eru.sfritsch.de with local-esmtp (Exim 4.72)
	(envelope-from <sf@sfritsch.de>)
	id 1TW5hn-000158-AO
	for dev@httpd.apache.org; Wed, 07 Nov 2012 14:30:07 +0100
Date: Wed, 7 Nov 2012 14:30:07 +0100 (CET)
From: Stefan Fritsch <sf@sfritsch.de>
X-X-Sender: stf@eru.sfritsch.de
To: dev@httpd.apache.org
Subject: Re: Rethinking "be liberal in what you accept"
In-Reply-To: <20121107115411.350f549e@baldur>
Message-ID: <alpine.DEB.2.00.1211071409330.2653@eru.sfritsch.de>
References: <alpine.DEB.2.00.1211071216450.2653@eru.sfritsch.de>
 <20121107115411.350f549e@baldur>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-Virus-Checked: Checked by ClamAV on apache.org

On Wed, 7 Nov 2012, Nick Kew wrote:
>> What do you think?
>
> I've made occasional efforts in this direction in the past,
> but never seen much interest in bringing such functionality
> into core (as opposed to WAF).
>
> One such: http://people.apache.org/~niq/mod_taint.html

What you proposed there was broader in scope, using regular expressions 
allowing lots of flexibility and allowing it to be adjusted to your 
webapps. I really only want to interpret the RFCs more strictly, and do 
that fast.

Looking at mod_taint, I think it may be useful for 2.2. But in 2.4, quite 
a bit of it can be done with <If>:

<If "%{req:foo} !~ /^(\w)$/" >
   Require all denied
</If>