On Fri, Sep 20, 2013 at 4:31 PM, Benjamin Coddington <[email protected]>wrote:
> Hello everyone, > > We're looking at moving our shared hosting execution behind mod_fcgid and > suexec, but we need to continue to allow our users .htaccess 'Files' > overrides. The current mod_fcgid allows users to execute arbitrary > commands by configuring the FcgidAccessChecker, FcgidAuthenticator, > FcgidAuthorizer, and FcgidWrapper directives within .htaccess files. > > - https://issues.apache.org/bugzilla/show_bug.cgi?id=49220 > > I've approached a fix by creating a directive that would disable the > application of those directives within .htaccess files if set; that patch > has been submitted to the httpd bug 49220. > > You might shrewdly wonder "how can this matter - this is cgi after all, > we're just going to try to exec the resulting file!", but we're able to get > away from that by disabling ExecCGI globally and setting it per-request in > separate module which also ensures the request is mapped to our specific > FcgidWrapper. > > I see mod_fcgid 2.3.8 is closing in a few days; any chance to sneak this > in? Thanks for your time and consideration. > > Ben Unless someone else speaks up, I'll spend some time on it. -- Born in Roswell... married an alien... http://emptyhammock.com/
