Hi, there is the problem that if modules like mod_status or mod_proxy_balancer are loaded, all people with permissions to create .httaccess files can use the status pages by using SetHandler in an .htaccess file.
I had the idea to create a module like mod_allowmethods, but for handlers, that allows to restrict which handlers can be used in particular locations. The following config would e.g. prevent mod_userdir users from enabling the status pages in their home directory: <Location /> AllowHandlers not server-info server-status balancer-manager </Location> <Location /server-status> AllowHandlers all SetHandler server-status </Location> PoC implementation is at http://people.apache.org/~sf/mod_allowhandlers.c . Any objections against committing this to trunk? It does it checks at the end of the fixup hook. This catches all the common ways to set a handler, but of course it is possible that some modules may bypass that check (e.g. by changing the handler in an early handler hook). But IMHO this could be solved by documentation. The config syntax can probably be improved. Specifying a white-list is not that easy, because by default every file will have its mime-type as handler name. Maybe it needs some pattern or regex matching. Any better ideas? Another idea where this could be handy: To deny script execution in some directories. Currently one needs to have a bunch of RemoveHandler and RemoveType statements for various modules (e.g. application/x- httpd-php, lua-script). If AllowHandlers allowed to define list aliases, one could maybe disable them all with a simple command: AllowHandlers not SCRIPTING If every scripting module registered its active handler(s) with mod_allowhandlers, there would even be no need for defining the alias manually. Or would it be a better idea to introduce a new "Options ExecScripts" flag and ask all scripting modules to honor that? Or just recommend that they use ExecCGI? Cheers, Stefan
