On Friday 18 November 2011, William A. Rowe Jr. wrote: > Resource abuse of an .htaccess config in the form of > cpu/memory/bandwidth; > > [ ] Represents a security defect > [X] Is not a security defect > > This would obviously need to be clarified in the associated > .htaccess documentation, be associated with an advisory and affect > the conclusion of several recent defect reports, both embargoed > and discussed plainly here on this list.
We should not make any promises we won't be able to keep. There are countless ways to cause a DoS from .htaccess. The .htaccess mechanism has not been designed with resource limitation in mind. Changing that will be a lot of work and will likely break ABI/API, i.e. the fixes won't be backportable to stable releases. We should treat those issues as regular bugs and make DoS safe .htaccess a goal. But we should make it clear that this goal likely won't be reached in 2.4.x and earlier.