Hence - my vote - for what it is worth:
[X] Represents a security defect On Sat, Nov 19, 2011 at 12:46 AM, Graham Leggett <[email protected]> wrote: > On 19 Nov 2011, at 12:38 AM, William A. Rowe Jr. wrote: > > After several prods, it seems the security@ and hackathon participants >> can't be drawn out of their shells on to dev@. So I'll simply call for >> a majority vote on the following statement... >> >> Resource abuse of an .htaccess config in the form of cpu/memory/bandwidth; >> >> [X] Represents a security defect >> >> [ ] Is not a security defect >> > > The config is clearly demarcated into two types, a "trusted" config loaded > at startup time rooted at /etc/httpd (or wherever), and a limited > "untrusted" config placed into .htaccess files within the content and > loaded at runtime. If we were to declare .htaccess as containing "trusted" > content only, most of the point behind .htaccess is lost. The trusted admin > simply needs to merge .htaccess into the main config, and he gains > load-on-startup and copy-on-write, there is little point in one common > administrator scattering their config in two separate places or mechanisms. > > The people given the power to change both .htaccess and content are > typically customers of a hosting company, or employees at a corporate, and > admins are generally not comfortable exposing themselves to avoidable risk > from either group. That said, I do concede that these two groups are more > trusted than the typical end user who might access a site, but I still > believe we should fix .htaccess problems as reported where it is practical > to do so to bring the risk as low as is practical. > > Regards, > Graham > -- > >
