On 11/18/2011 4:38 PM, William A. Rowe Jr. wrote: > After several prods, it seems the security@ and hackathon participants > can't be drawn out of their shells on to dev@. So I'll simply call for > a majority vote on the following statement... > > Resource abuse of an .htaccess config in the form of cpu/memory/bandwidth; > > [ ] Is not a security defect
Carries with Issac, Joe, RĂ¼diger, Reindl, Eric, Stefan and myself in support, and Graham and Noel opposed. (6 x +1/1 x -1) As previously pointed out... > This would obviously need to be clarified in the associated .htaccess > documentation, be associated with an advisory and affect the conclusion > of several recent defect reports, both embargoed and discussed plainly > here on this list. We should start updating any relevant docs to point out that enabling .htaccess *does* introduce the ability for an untrusted user to consume an inordinate amount of server resources. I don't think we need to go into the details discovered by our security team to make that point. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
