On Fri, Jun 8, 2012 at 4:58 AM, Joe Orton <[email protected]> wrote: > On Thu, Jun 07, 2012 at 01:14:37PM -0400, Jeff Trawick wrote: >> On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton <[email protected]> wrote: >> > I like Eric's suggestion of an opt-in RewriteOption. This will avoid >> > having to iterate yet again if the whitelist is either too broad or too >> > narrow, and can make the security implications (such as they are) >> > explicit. >> >> Doesn't that just mean that the security implications are unknown when >> you want mod_rewrite to process a proxied http request or a CONNECT? >> I.e., you have to turn off the sanity checks in order to use certain >> infrequently used features. > > Yes, but that was exactly the previous state: the security implication > of doing crazy stuff with rewrite rules really is totally unknown. I > wouldn't say "infrequently used features", I'd say "undocumented > behaviour which happened to work previously".
"crazy stuff"/"happened to work" seems a bit convenient for referring to some useful functionality which was regressed :( But as far as we know Right Now it is practical for a user to ensure that all their rewrite rules are well formed and turn on this option without fear. Right? I guess there is no desire among the group to take any of the reported regressions and deem the "feature" supported in the normal manner. -- Born in Roswell... married an alien... http://emptyhammock.com/
