On Fri, Jun 08, 2012 at 08:19:22AM -0400, Jeff Trawick wrote: > On Fri, Jun 8, 2012 at 4:58 AM, Joe Orton <[email protected]> wrote: > > Yes, but that was exactly the previous state: the security implication > > of doing crazy stuff with rewrite rules really is totally unknown. I > > wouldn't say "infrequently used features", I'd say "undocumented > > behaviour which happened to work previously". > > "crazy stuff"/"happened to work" seems a bit convenient for referring > to some useful functionality which was regressed :( But as far as we > know Right Now it is practical for a user to ensure that all their > rewrite rules are well formed and turn on this option without fear. > Right?
Right, so long as the rule set is safe for all possible input strings, and users realise mod_rewrite does not constrain that set of strings. Yeah, this is perhaps a "convenient" position to take. We'd be open to the same accusation had we decided that 3368/4317 were config issues not security issues, just with a different set of disgruntled users. I'd still go this route, I think; default to safe + config option for "unsafe" mode. > I guess there is no desire among the group to take any of the reported > regressions and deem the "feature" supported in the normal manner. Without a config option? I've no objection but neither any desire to climb that mountain myself. The problem I see is that we'd need a better specification for the "rule set input string" to replace "URL-path"; I've no handle on how complex that would be. Regards, Joe
