Re: cvs commit: httpd-2.0/server config.c

Tue, 27 Mar 2001 11:57:07 -0800 

On 27 Mar 2001 [EMAIL PROTECTED] wrote:

> stoddard    01/03/27 11:19:08
>
>   Modified:    .        CHANGES
>                include  http_config.h
>                modules/http http_request.c
>                server   config.c
>   Log:
>   Performance: Add quick_handler hook. This hook is called at the
>   very beginning of the request processing before location_walk,
>   translate_name, etc.  This hook is useful for URI keyed content
>   caches like Mike Abbott's Quick Shortcut Cache.
>
>   1.94      +30 -1     httpd-2.0/modules/http/http_request.c
>
>   Index: http_request.c
>   ===================================================================
>   RCS file: /home/cvs/httpd-2.0/modules/http/http_request.c,v
>   retrieving revision 1.93
>   retrieving revision 1.94
>   diff -u -r1.93 -r1.94
>   --- http_request.c  2001/03/18 02:33:21     1.93
>   +++ http_request.c  2001/03/27 19:19:07     1.94
>   @@ -391,7 +391,36 @@
>
>    void ap_process_request(request_rec *r)
>    {
>   -    process_request_internal(r);
>   +    int access_status;
>   +
>   +    /* Give quick handlers a shot at serving the request on the fast
>   +     * path, bypassing all of the other Apache hooks.
>   +     *
>   +     * This hook was added to enable serving files out of a URI keyed
>   +     * content cache ( e.g., Mike Abbott's Quick Shortcut Cache,
>   +     * described here: http://oss.sgi.com/projects/apache/mod_qsc.html )
>   +     *
>   +     * It may have other uses as well, such as routing requests directly to
>   +     * content handlers that have the ability to grok HTTP and do their
>   +     * own access checking, etc (e.g. servlet engines).
>   +     *
>   +     * Use this hook with extreme care and only if you know what you are
>   +     * doing.
>   +     *
>   +     * Consider moving this hook to after the first location_walk in order
>   +     * to enable the quick handler to make decisions based on config
>   +     * directives in Location blocks.
>   +     */
>   +    access_status = ap_run_quick_handler(r);
>   +    if (access_status == OK) {
>   +        ap_finalize_request_protocol(r);
>   +    }
>   +    else if (access_status == DECLINED) {
>   +        process_request_internal(r);
>   +    }
>   +    else {
>   +        ap_die(access_status, r);
>   +    }

Isn't this a huge security whole?  You have basically allowed somebody to
server information off a web server without even checking for
authentication.

Ryan

_______________________________________________________________________________
Ryan Bloom                              [EMAIL PROTECTED]
406 29th St.
San Francisco, CA 94131
-------------------------------------------------------------------------------

Reply via email to