On Tuesday, November 6, 2012, Stefan Fritsch wrote: > Hi, > > On Sat, 21 Apr 2012, Jeff Trawick wrote: > >> there is the problem that if modules like mod_status or >>> mod_proxy_balancer are loaded, all people with permissions to create >>> .httaccess files can use the status pages by using SetHandler in an >>> .htaccess file. >>> >> >> My 2 cents: >> >> SetHandler shouldn't be used to enable these because it requires an >> unnecessary filesystem walk and only requires a very small amount of >> code to implement a flag directive. Having ServerStatus On|Off >> anywhere in the configuration would disable the check for r->handler >> == "status-handler" (migration). >> > > I must admit that I haven't looked into why they use the handler for > configuration. But my feeling is that we won't get rid of modules doing it > this in the forseeable future. > > Is the use of handler by these a feature though, such as needing to >> let other modules generate these reports by some mechanism other than >> using a subrequest for or redirecting to the location where it is >> enabled? I don't know how smooth mod_allowhandler would be for that >> anyway. >> > > It does the checks at the end of the fixup hook, which seems to work with > the setups I could think of. But more testing is needed, of course. > > There are other situations where mod_allowhandlers would be helpful, >> but I think we could provide a simpler mechanism (flag) for the >> several sensitive handlers in bundled modules. >> > > I think having it in trunk would be nice to find problems with this > approach. Unless someone disagrees, I am going to commit it. Backport to > 2.4 can wait until we are sure that it is a good solution.
+1 > > Cheers, > Stefan > -- Born in Roswell... married an alien... http://emptyhammock.com/
