> -----Original Message----- > From: Stefan Fritsch [mailto:s...@sfritsch.de] > Sent: Samstag, 19. November 2011 03:37 > To: dev@httpd.apache.org > Subject: Re: [Vote] .htaccess logic abuse > > On Friday 18 November 2011, William A. Rowe Jr. wrote: > > Resource abuse of an .htaccess config in the form of > > cpu/memory/bandwidth; > > > > [ ] Represents a security defect > > [X] Is not a security defect > > > > This would obviously need to be clarified in the associated > > .htaccess documentation, be associated with an advisory and affect > > the conclusion of several recent defect reports, both embargoed > > and discussed plainly here on this list. > > We should not make any promises we won't be able to keep. There are > countless ways to cause a DoS from .htaccess. The .htaccess mechanism > has not been designed with resource limitation in mind. Changing that > will be a lot of work and will likely break ABI/API, i.e. the fixes > won't be backportable to stable releases. We should treat > those issues > as regular bugs and make DoS safe .htaccess a goal. But we > should make > it clear that this goal likely won't be reached in 2.4.x and earlier. > >
+1. Well put. Regards Rüdiger