Sorry, missed it at the time, but this is nonsense:

> remove r1792169 taint checks from proxy and status modules
> Both of these checks are problematic without further
> status: even a .htaccess with no SetHandler blocks the handler.

The status handler doesn't live in the filesystem.  If it's
correctly configured, the filesystem won't be visited, so
of course no .htaccess will be processed.

> proxy: RewriteRule ... ... [P] in htaccess is blocked.

As it should be: for .htaccess to run resources outside
its own directories is a long-standing design bug, and
leads to security issues.  Discussed with reference to
mod_proxy and mod_status in, for example

Leading to the patch committed in r1792169:

> This is for trunk.  I'd be more cautious about 2.4 (or 2.2)
> because it could break screwed-up-but-not-dangerous configs
> in production by refusing unexpectedly to run.  For those
> I'd suggest moving the check from proxy_handler into scheme
> handlers.
> Comments?

(discussion was originally on security@, but it was suggested and the
reporter agreed that it could be brought to dev@).

Nick Kew

Reply via email to