Hello everyone, We're looking at moving our shared hosting execution behind mod_fcgid and suexec, but we need to continue to allow our users .htaccess 'Files' overrides. The current mod_fcgid allows users to execute arbitrary commands by configuring the FcgidAccessChecker, FcgidAuthenticator, FcgidAuthorizer, and FcgidWrapper directives within .htaccess files.
- https://issues.apache.org/bugzilla/show_bug.cgi?id=49220 I've approached a fix by creating a directive that would disable the application of those directives within .htaccess files if set; that patch has been submitted to the httpd bug 49220. You might shrewdly wonder "how can this matter - this is cgi after all, we're just going to try to exec the resulting file!", but we're able to get away from that by disabling ExecCGI globally and setting it per-request in separate module which also ensures the request is mapped to our specific FcgidWrapper. I see mod_fcgid 2.3.8 is closing in a few days; any chance to sneak this in? Thanks for your time and consideration. Ben
