Hi Nick, any link to the source code?
Regards, Yann. On Fri, Sep 26, 2014 at 4:41 PM, Nick Kew <[email protected]> wrote: > I've revisited mod_taint this morning, and made some updates: > a bugfix, a new option to apply an untainting rule to all headers. > But topically, a canned configuration option to protect > against shell-shock patterns: > > LoadModule modules/mod_taint.so > Untaint shellshock > > Untaint works in a directory context, so can be > selectively enabled for potentially-vulnerable apps > such as those involving CGI, SSI, ExtFilter, > or (other) scripts. > > This goes through all Request headers, any PATH_INFO > and QUERY_STRING, and (just to be paranoid) any > other subprocess environment variables. It untaints > them against a regexp that checks for "()" at the > beginning of a variable, and returns an HTTP 400 error > (Bad Request) if found. > > Feedback welcome, indeed solicited. I believe this > is a simple but sensible approach to protecting > potentially-vulnerable systems, but I'm open to > contrary views. The exact details, including the > shellshock regexp itself, could probably use some > refinement. And of course, bug reports! > > Builds and runs with httpd 2.2 and 2.4. Very limited > testing verifies that it catches a shellshock attack > in a request header. > > http://people.apache.org/~niq/mod_taint.html > > Note: cross-posting, with followup-to set to dev@. > If you're following up to report a critical bug, > adding users@ will ensure widest exposure! > > -- > Nick Kew
