On 2010-06-11 at 08:39, Volker <[email protected]> wrote: > Hi, > > while playing around with handlers, i noticed, that any user can > register the 'server-status'-handler by putting > > > SetHandler server-status > > > in an htacces-File. This can not be prevented by using a alternating > AllowOverride-directives, since 'SetHandler' is part of 'FileInfo' which > also holds ErrorDocuments, mod_rewrite, etc. > > Since the server-status-handler offers information one might not want > others to have access to (for example a massive shared hosting > environment), i created a small patch that enables a custom handlername > for the server-status-module. Just thought someone else might have use > for it. > > What this patch does: > - reserves memory for directive with parameter (AP_INIT_TAKE1) > - adds a function for creating config-records (create_modstatus_config) > - adds a function to set the handlername (set_serverstatus_handler_name) > > If the handlername is not set using the directive, it defaults to the > old 'server-status' and continues to work with the old setting.
... > Any comments, suggestions, improvements and/or critical comments are > welcome. Thanks for the problem report and patch. Since it doesn't seem that anyone has responded yet (unless I missed it), I suggest that you open a bug report and attach your patch there so it's not forgotten. I keep thinking there ought to be a better solution for this, but I can't think of one so far. Dan
