On Thu, Jun 07, 2012 at 01:14:37PM -0400, Jeff Trawick wrote: > On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton <jor...@redhat.com> wrote: > > I like Eric's suggestion of an opt-in RewriteOption. This will avoid > > having to iterate yet again if the whitelist is either too broad or too > > narrow, and can make the security implications (such as they are) > > explicit. > > Doesn't that just mean that the security implications are unknown when > you want mod_rewrite to process a proxied http request or a CONNECT? > I.e., you have to turn off the sanity checks in order to use certain > infrequently used features.
Yes, but that was exactly the previous state: the security implication of doing crazy stuff with rewrite rules really is totally unknown. I wouldn't say "infrequently used features", I'd say "undocumented behaviour which happened to work previously". Regards, Joe