This (among others) seems to have got lost in the ether. Dan, I did reply to your comments :)
Begin forwarded message: > From: Nick Kew <[email protected]> > Date: 28 July 2010 23:38:10 GMT+01:00 > To: [email protected] > Subject: Re: Untainting an incoming request > > > On 28 Jul 2010, at 13:13, Dan Poirier wrote: > >> Example usage? >> >> Just to better understand the scope, can this do things that one >> couldn't do (however painfully) with mod_rewrite? > > Very likely not (that's not the purpose of it). Complexity - and hence > a mod_rewrite-based alternative - is the enemy of security. Merging > duplicate request headers is a simplicity feature that would not sit > so well in mod_rewrite, and without it we have huge complexity in > devising untainting rules! > > I did indeed contemplate implementing the function with an "untaint" > directive > in mod_rewrite, that would translate to a RewriteCond+RewriteRule pair. > But that's asking for trouble: giving every future tweak to mod_rewrite > potential to impact on or break a security feature. > > -- > Nick Kew
