httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <>
Subject [Result] [Vote] .htaccess logic abuse
Date Tue, 20 Dec 2011 09:25:09 GMT
On 11/18/2011 4:38 PM, William A. Rowe Jr. wrote:
> After several prods, it seems the security@ and hackathon participants
> can't be drawn out of their shells on to dev@.  So I'll simply call for
> a majority vote on the following statement...
> Resource abuse of an .htaccess config in the form of cpu/memory/bandwidth;
>   [ ]  Is not a security defect

Carries with Issac, Joe, RĂ¼diger, Reindl, Eric, Stefan and myself in support,
and Graham and Noel opposed. (6 x +1/1 x -1)

As previously pointed out...

> This would obviously need to be clarified in the associated .htaccess
> documentation, be associated with an advisory and affect the conclusion
> of several recent defect reports, both embargoed and discussed plainly
> here on this list.

We should start updating any relevant docs to point out that enabling
.htaccess *does* introduce the ability for an untrusted user to consume
an inordinate amount of server resources.  I don't think we need to go
into the details discovered by our security team to make that point.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message