On Wed, Apr 4, 2018 at 10:16 AM, Nick Kew <n...@apache.org> wrote: > Sorry, missed it at the time, but this is nonsense: > >> remove r1792169 taint checks from proxy and status modules >> >> Both of these checks are problematic without further > work. >> >> status: even a .htaccess with no SetHandler blocks the handler. > > The status handler doesn't live in the filesystem. If it's > correctly configured, the filesystem won't be visited, so > of course no .htaccess will be processed.
What is the correct configuration that doesn't cause htaccess to be visited? If it's trunk only, I think it should be an alternate config mechanism rather than making it incompatible with any other setting in htaccess. > >> proxy: RewriteRule ... ... [P] in htaccess is blocked. > > As it should be: for .htaccess to run resources outside > its own directories is a long-standing design bug, and > leads to security issues. Discussed with reference to > mod_proxy and mod_status in, for example > https://mail-search.apache.org/members/private-arch/httpd-security/201701.mbox/%3c63b4f81e-f742-563c-d4e4-99c4a50a7...@gmail.com%3E > https://mail-search.apache.org/members/private-arch/httpd-security/201701.mbox/%3CCALK=yjn55j31eyfmle1bvtgy-9--9ftk2yfjzsumrlql+dk...@mail.gmail.com%3E > https://mail-search.apache.org/members/private-arch/httpd-security/201701.mbox/%3c6e96a31c-c4f8-36b8-ea94-8f77a2680...@gmail.com%3E > https://mail-search.apache.org/members/private-arch/httpd-security/201701.mbox/%3CCALK=yjnwr3cncercis4icqvs_wmj-exvddxlsntrplp5qoh...@mail.gmail.com%3E I think this one did not pass the test suite. If indirectly breaking RewriteRule [P], I think it should be preceded with doc (incl upgrading) and an explicit rejection in mod_rewrite. I understand that checks are necessary in the modules due to pulling their config from the request object, but we can't just silently set these traps and let them sit in trunk. > > Leading to the patch committed in r1792169: > >> This is for trunk. I'd be more cautious about 2.4 (or 2.2) >> because it could break screwed-up-but-not-dangerous configs >> in production by refusing unexpectedly to run. For those >> I'd suggest moving the check from proxy_handler into scheme >> handlers. >> >> Comments? RewriteRule [P] in htaccess isn't anywhere near "screwed up".