> -----Original Message-----
> From: Richard L. Goerwitz [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, November 16, 2000 10:11 AM
> To: [EMAIL PROTECTED]
> Cc: Geoffrey Young
> Subject: Re: security suggestion
>
>
> Following up on the security suggestion (I'm actually responding to
> private mail, so I'll just quote the person who wrote to me without
> giving a name) -
>
> > Of course you can do this in an .htaccess file, too:
> >
> > <Perl>
> > arbitrary perl code...
> > </Perl>
>
> I'd argue that people shouldn't be able to do that - unless,
> of course,
> they can ExecCGI.
>
> The general idea is this: Regular users without ExecCGI may have good
> reason to say things like,
>
> PerlAuthenHandler Apache::SomeNewAuthModule
but what about
PerlSetEnv PERL5LIB '/my/lib/'
PerlAuthenHandler My::Handler
there's nothing that says an AuthenHandler has to authenticate :)
maybe it would be possible to limit
PerlAuthenHandler 'sub {do something desctructive};'
via a directive, but this is mod_perl - I can't see how you would be able to
allow good activity without there being some way around it for destructive
types...
at least not in a generic sense - you could write an Init handler that
pushes Your::Validator to the front of each phase which runs all configured
handlers through various checks (of course one that seemed valid could push
another bad handler to the stack on the fly)
see what I mean - protection is not guaranteed...
> Although we want those users to have access to these modules
> (and to the
> added functionality they bring), we may not want them to be able to
> execute arbitrary Perl code.
PERL_SECTIONS=0 at build time can deactivate this across the board
--Geoff
