I was copy/pasting bits of this from mod_authz_host into a derivative of mod_limit_ipconn and noticed that the parsed_subnets cache seems unsafe if we are parsing directives in multiple threads from htaccess.
parsed_subnets is an apr_hash_t that we write to when parsing 'Require ip ..'. It seems like it would be helpful to have a bit in cmd_parms to tell us that it came from htaccess, then ap_check_cmd_context() could check it and we could skip caching new subnets. Since it requires write access to htaccess, I don't consider it a security issue. -- Eric Covener [email protected]
