On 19 Nov 2011, at 12:38 AM, William A. Rowe Jr. wrote:
After several prods, it seems the security@ and hackathon participants
can't be drawn out of their shells on to dev@. So I'll simply call
for
a majority vote on the following statement...
Resource abuse of an .htaccess config in the form of cpu/memory/
bandwidth;
[X] Represents a security defect
[ ] Is not a security defect
The config is clearly demarcated into two types, a "trusted" config
loaded at startup time rooted at /etc/httpd (or wherever), and a
limited "untrusted" config placed into .htaccess files within the
content and loaded at runtime. If we were to declare .htaccess as
containing "trusted" content only, most of the point behind .htaccess
is lost. The trusted admin simply needs to merge .htaccess into the
main config, and he gains load-on-startup and copy-on-write, there is
little point in one common administrator scattering their config in
two separate places or mechanisms.
The people given the power to change both .htaccess and content are
typically customers of a hosting company, or employees at a corporate,
and admins are generally not comfortable exposing themselves to
avoidable risk from either group. That said, I do concede that these
two groups are more trusted than the typical end user who might access
a site, but I still believe we should fix .htaccess problems as
reported where it is practical to do so to bring the risk as low as is
practical.
Regards,
Graham
--