From docs-return-10136-apmail-httpd-docs-archive=httpd.apache.org@httpd.apache.org Tue Dec 20 09:25:47 2011 Return-Path: X-Original-To: apmail-httpd-docs-archive@www.apache.org Delivered-To: apmail-httpd-docs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 127329762 for ; Tue, 20 Dec 2011 09:25:47 +0000 (UTC) Received: (qmail 92227 invoked by uid 500); 20 Dec 2011 09:25:46 -0000 Delivered-To: apmail-httpd-docs-archive@httpd.apache.org Received: (qmail 92136 invoked by uid 500); 20 Dec 2011 09:25:46 -0000 Mailing-List: contact docs-help@httpd.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: docs@httpd.apache.org List-Id: Delivered-To: mailing list docs@httpd.apache.org Received: (qmail 92128 invoked by uid 99); 20 Dec 2011 09:25:45 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Dec 2011 09:25:45 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [72.167.82.88] (HELO p3plsmtpa01-08.prod.phx3.secureserver.net) (72.167.82.88) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 20 Dec 2011 09:25:38 +0000 Received: (qmail 27834 invoked from network); 20 Dec 2011 09:25:16 -0000 Received: from unknown (76.252.112.72) by p3plsmtpa01-08.prod.phx3.secureserver.net (72.167.82.88) with ESMTP; 20 Dec 2011 09:25:16 -0000 Message-ID: <4EF05475.5020307@rowe-clan.net> Date: Tue, 20 Dec 2011 03:25:09 -0600 From: "William A. Rowe Jr." User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: dev@httpd.apache.org, "docs@httpd.apache.org" Subject: [Result] [Vote] .htaccess logic abuse References: <4EC6DE56.9020701@rowe-clan.net> In-Reply-To: <4EC6DE56.9020701@rowe-clan.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On 11/18/2011 4:38 PM, William A. Rowe Jr. wrote: > After several prods, it seems the security@ and hackathon participants > can't be drawn out of their shells on to dev@. So I'll simply call for > a majority vote on the following statement... > > Resource abuse of an .htaccess config in the form of cpu/memory/bandwidth; > > [ ] Is not a security defect Carries with Issac, Joe, RĂ¼diger, Reindl, Eric, Stefan and myself in support, and Graham and Noel opposed. (6 x +1/1 x -1) As previously pointed out... > This would obviously need to be clarified in the associated .htaccess > documentation, be associated with an advisory and affect the conclusion > of several recent defect reports, both embargoed and discussed plainly > here on this list. We should start updating any relevant docs to point out that enabling .htaccess *does* introduce the ability for an untrusted user to consume an inordinate amount of server resources. I don't think we need to go into the details discovered by our security team to make that point. --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org For additional commands, e-mail: docs-help@httpd.apache.org