Re: svn commit: r1792169 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/httpd.h modules/generators/mod_status.c modules/proxy/mod_proxy.c server/config.c server/util.c

[Eric Covener]

The rewrite case was failing in the test suite. I removed both checks
in r1792169.

On Mon, May 8, 2017 at 8:04 PM, Eric Covener  wrote:
> On Thu, Apr 27, 2017 at 1:51 PM, Eric Covener  wrote:
>> On Fri, Apr 21, 2017 at 4:44 AM,   wrote:
>>> +/* A request that has passed through .htaccess has no business
>>> + * landing up here.
>>> + */
>>> +if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
>>> +return DECLINED;
>>> +}
>>> +
>>
>> If AllowOverride is enabled for the document root an d an htaccess is
>> present,  this renders /server-status unreachable, regardless of
>> what's in the htaccess. If we're going to block this by default, we
>> might as well just stop configuring it with SetHandler and then the
>> taint checking is not needed.
>>
>> We also have in another thread the issue with RewriteRule ... [P] in
>> htaccess being blocked.  We need some kind of way to express a policy
>> that will be unique to different handlers.
>
> bump? Right now the only two protected handlers are blocking pretty
> routine configurations.



-- 
Eric Covener
cove...@gmail.com

Re: svn commit: r1792169 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/httpd.h modules/generators/mod_status.c modules/proxy/mod_proxy.c server/config.c server/util.c

[Eric Covener]

On Thu, Apr 27, 2017 at 1:51 PM, Eric Covener  wrote:
> On Fri, Apr 21, 2017 at 4:44 AM,   wrote:
>> +/* A request that has passed through .htaccess has no business
>> + * landing up here.
>> + */
>> +if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
>> +return DECLINED;
>> +}
>> +
>
> If AllowOverride is enabled for the document root an d an htaccess is
> present,  this renders /server-status unreachable, regardless of
> what's in the htaccess. If we're going to block this by default, we
> might as well just stop configuring it with SetHandler and then the
> taint checking is not needed.
>
> We also have in another thread the issue with RewriteRule ... [P] in
> htaccess being blocked.  We need some kind of way to express a policy
> that will be unique to different handlers.

bump? Right now the only two protected handlers are blocking pretty
routine configurations.

Re: svn commit: r1792169 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/httpd.h modules/generators/mod_status.c modules/proxy/mod_proxy.c server/config.c server/util.c

[Eric Covener]

On Fri, Apr 21, 2017 at 4:44 AM,   wrote:
> +/* A request that has passed through .htaccess has no business
> + * landing up here.
> + */
> +if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
> +return DECLINED;
> +}
> +

If AllowOverride is enabled for the document root an d an htaccess is
present,  this renders /server-status unreachable, regardless of
what's in the htaccess. If we're going to block this by default, we
might as well just stop configuring it with SetHandler and then the
taint checking is not needed.

We also have in another thread the issue with RewriteRule ... [P] in
htaccess being blocked.  We need some kind of way to express a policy
that will be unique to different handlers.

-- 
Eric Covener
cove...@gmail.com