In understand any module *can* set content-type late: I'm just wondering if
that happens with any frequency. E.g.when I googled for how to set
content-type in Apache, I got references to AddType and some hacks using
mod_rewrite, both of which would run upstream of my filter. My main
concern is
-Original Message-
From: Eric Covener []
Sent: Donnerstag, 7. Juni 2012 19:23
To: dev@httpd.apache.org
Subject: Re: post-CVE-2011-4317 (rewrite proxy unintended
interpolation) rewrite PR's
On Thu, Jun 7, 2012 at 1:14 PM, Jeff Trawick traw...@gmail.com wrote:
Eric, what was the
-Original Message-
From: Daniel Ruggeri Sent: Freitag, 8. Juni 2012 00:16
To: dev@httpd.apache.org
Subject: Re: [PATCH] mod_log_forensic security considerations
On 6/7/2012 3:11 PM, Stefan Fritsch wrote:
On Thursday 07 June 2012, Eric Covener wrote:
On Wed, Jun 6, 2012 at
On Thu, Jun 07, 2012 at 01:23:29PM -0400, Eric Covener wrote:
e.g. RewriteOptions +I know I'm running this regex against something
that's not guaranteed to look like a URL-path, and I'll write a regex
that carefully matches/captures the input
How about this? I'm not sure how to put the right
On Thu, Jun 07, 2012 at 01:14:37PM -0400, Jeff Trawick wrote:
On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton jor...@redhat.com wrote:
I like Eric's suggestion of an opt-in RewriteOption. This will avoid
having to iterate yet again if the whitelist is either too broad or too
narrow, and can
On 06/08/2012 12:13 PM, Graham Leggett wrote:
On 08 Jun 2012, at 12:16 AM, Daniel Ruggeri wrote:
I share Williams concern that this makes mod_forensic potentially less
useful.
Maybe making the forensic log mode 600 by default would be a better
idea?
Agreed as well. This module isn't
On Fri, Jun 8, 2012 at 4:58 AM, Joe Orton jor...@redhat.com wrote:
On Thu, Jun 07, 2012 at 01:14:37PM -0400, Jeff Trawick wrote:
On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton jor...@redhat.com wrote:
I like Eric's suggestion of an opt-in RewriteOption. This will avoid
having to iterate yet
- Original Message -
From: Daniel Gruno rum...@cord.dk
To: dev@httpd.apache.org
Cc:
Sent: Friday, June 8, 2012 6:24 AM
Subject: Re: [PATCH] mod_log_forensic security considerations
On 06/08/2012 12:13 PM, Graham Leggett wrote:
On 08 Jun 2012, at 12:16 AM, Daniel Ruggeri wrote:
On 06/08/2012 05:45 PM, Joe Schaefer wrote:
Well not quite, we'd still have had a problem with storing and
archiving those logs even if we hadn't made them available to
committers, because they violate our password retention policies.
My point was, that it should fall upon us to add a filter
On 08 Jun 2012, at 5:45 PM, Joe Schaefer wrote:
Well not quite, we'd still have had a problem with storing and archiving
those logs even if we hadn't made them available to committers, because
they violate our password retention policies.
Can you clarify if possible what purpose you were
For several years Graham those logs were rather valuable
in tracking down segfaulting svn requests. Security releases
were made as a result of some of those reports to the
Subversion project.
- Original Message -
From: Graham Leggett minf...@sharp.fm
To: dev@httpd.apache.org
Cc:
On Jun 8, 2012, at 11:51 AM, Graham Leggett wrote:
On 08 Jun 2012, at 5:45 PM, Joe Schaefer wrote:
Well not quite, we'd still have had a problem with storing and archiving
those logs even if we hadn't made them available to committers, because
they violate our password retention policies.
On 6/8/2012 12:52 PM, Jim Riggs wrote:
Having the forensic logs available has proven extremely helpful in this
scenario. Might the full, unfiltered forensic data be valuable? Yes, but I
don't believe the security risk is worth it in my situation. The rare case
where an Authorization header
On 08 Jun 2012, at 7:22 PM, Joe Schaefer wrote:
For several years Graham those logs were rather valuable
in tracking down segfaulting svn requests. Security releases
were made as a result of some of those reports to the
Subversion project.
I'm sure they were, that's exactly what the
On 6/8/2012 10:55 AM, Daniel Gruno wrote:
On 06/08/2012 05:45 PM, Joe Schaefer wrote:
Well not quite, we'd still have had a problem with storing and
archiving those logs even if we hadn't made them available to
committers, because they violate our password retention policies.
My point was,
15 matches
Mail list logo
