On Wed, Nov 02, 2005 at 08:41:18PM +0100, Ruediger Pluem wrote: > I do not regard this as a showstopper since we only have an admittedly > serious security problem in a *specific* configuration. I think it is > enough to add a big warning to the mod_cache documentation that > protecting cached resources with mod_authz_host does not work as > expected. There are many ways to create an insecure configuration if > you do not take care, so this warning should be enough. Even more as > caching seems to me some sort of advanced configuration anyway that > will mostly be done by more experienced people.
I think the text "Deny from all" is a particularly dangerous thing to have not work as advertised! No matter how well documented :/ > Just for my remembrance: This was the quick_handler vs. handler issue, > correct? Who actually vetoes this fix? As far as I remember the fix > made it configurable where to run the cache handler (quick_handler / > handler), right? Yes, basically the map to storage hook needs to be run before mod_cache makes the decision to serve the content. Coming before the map_to_storage hook is the real main difference between a quickhandler and an ordinary handler, so inserting this hook into mod_cache itself makes little sense. Additionally for a pure proxy environment we don't need the overhead of the map to storage hook, it's only for local content that it matters in this way. > > prior to GA. > > If we remove it before GA no one can use it and it would be a large > step backward as It'd be awful! > If we leave it in we only have a subgroup of users who cannot use it. > What is more important from my point of view is that we return to a > discussion how to solve this problem and solve the technical concerns > expressed in the veto of the fix. The patch that's vetoed is at: http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=111597814015667&w=2 And the concerns at: http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=111600137824345&w=2 In an ideal world, I agree with Bills line of reasoning there (though that's a slightly different problem in the actual thread), the best w ay to solve this would be to have mod_authz_host "detect" that the rule for the content being served would always be "Allow from all" - so it's safe to cache. But doing that is very impractical, because even if we could traverse the entire tree of possible allow/deny directives, and then decided it was cacheable, the admin might then add a "Deny". This would silently take no effect until the entity expired from the cache, which is the original problem all over again :/ -- Colm MacCárthaigh Public Key: [EMAIL PROTECTED]
