The rewrite case was failing in the test suite. I removed both checks
in r1792169.
On Mon, May 8, 2017 at 8:04 PM, Eric Covener <cove...@gmail.com> wrote:
> On Thu, Apr 27, 2017 at 1:51 PM, Eric Covener <cove...@gmail.com> wrote:
>> On Fri, Apr 21, 2017 at 4:44 AM, <n...@apache.org> wrote:
>>> + /* A request that has passed through .htaccess has no business
>>> + * landing up here.
>>> + */
>>> + if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
>>> + return DECLINED;
>>> + }
>>> +
>>
>> If AllowOverride is enabled for the document root an d an htaccess is
>> present, this renders /server-status unreachable, regardless of
>> what's in the htaccess. If we're going to block this by default, we
>> might as well just stop configuring it with SetHandler and then the
>> taint checking is not needed.
>>
>> We also have in another thread the issue with RewriteRule ... [P] in
>> htaccess being blocked. We need some kind of way to express a policy
>> that will be unique to different handlers.
>
> bump? Right now the only two protected handlers are blocking pretty
> routine configurations.
--
Eric Covener
cove...@gmail.com
