httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: svn commit: r1792169 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/httpd.h modules/generators/mod_status.c modules/proxy/mod_proxy.c server/config.c server/util.c
Date Thu, 27 Apr 2017 17:51:47 GMT
On Fri, Apr 21, 2017 at 4:44 AM,  <niq@apache.org> wrote:
> +    /* A request that has passed through .htaccess has no business
> +     * landing up here.
> +     */
> +    if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
> +        return DECLINED;
> +    }
> +

If AllowOverride is enabled for the document root an d an htaccess is
present,  this renders /server-status unreachable, regardless of
what's in the htaccess. If we're going to block this by default, we
might as well just stop configuring it with SetHandler and then the
taint checking is not needed.

We also have in another thread the issue with RewriteRule ... [P] in
htaccess being blocked.  We need some kind of way to express a policy
that will be unique to different handlers.

-- 
Eric Covener
covener@gmail.com

Mime
View raw message