Re: svn commit: r1792169 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/httpd.h modules/generators/mod_status.c modules/proxy/mod_proxy.c server/config.c server/util.c

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: svn commit: r1792169 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/httpd.h modules/generators/mod_status.c modules/proxy/mod_proxy.c server/config.c server/util.c

Eric Covener
On Fri, Apr 21, 2017 at 4:44 AM,  <[hidden email]> wrote:
> +    /* A request that has passed through .htaccess has no business
> +     * landing up here.
> +     */
> +    if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
> +        return DECLINED;
> +    }
> +

If AllowOverride is enabled for the document root an d an htaccess is
present,  this renders /server-status unreachable, regardless of
what's in the htaccess. If we're going to block this by default, we
might as well just stop configuring it with SetHandler and then the
taint checking is not needed.

We also have in another thread the issue with RewriteRule ... [P] in
htaccess being blocked.  We need some kind of way to express a policy
that will be unique to different handlers.

--
Eric Covener
[hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: svn commit: r1792169 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/httpd.h modules/generators/mod_status.c modules/proxy/mod_proxy.c server/config.c server/util.c

Eric Covener
On Thu, Apr 27, 2017 at 1:51 PM, Eric Covener <[hidden email]> wrote:

> On Fri, Apr 21, 2017 at 4:44 AM,  <[hidden email]> wrote:
>> +    /* A request that has passed through .htaccess has no business
>> +     * landing up here.
>> +     */
>> +    if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
>> +        return DECLINED;
>> +    }
>> +
>
> If AllowOverride is enabled for the document root an d an htaccess is
> present,  this renders /server-status unreachable, regardless of
> what's in the htaccess. If we're going to block this by default, we
> might as well just stop configuring it with SetHandler and then the
> taint checking is not needed.
>
> We also have in another thread the issue with RewriteRule ... [P] in
> htaccess being blocked.  We need some kind of way to express a policy
> that will be unique to different handlers.

bump? Right now the only two protected handlers are blocking pretty
routine configurations.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: svn commit: r1792169 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/httpd.h modules/generators/mod_status.c modules/proxy/mod_proxy.c server/config.c server/util.c

Eric Covener
The rewrite case was failing in the test suite. I removed both checks
in r1792169.

On Mon, May 8, 2017 at 8:04 PM, Eric Covener <[hidden email]> wrote:

> On Thu, Apr 27, 2017 at 1:51 PM, Eric Covener <[hidden email]> wrote:
>> On Fri, Apr 21, 2017 at 4:44 AM,  <[hidden email]> wrote:
>>> +    /* A request that has passed through .htaccess has no business
>>> +     * landing up here.
>>> +     */
>>> +    if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
>>> +        return DECLINED;
>>> +    }
>>> +
>>
>> If AllowOverride is enabled for the document root an d an htaccess is
>> present,  this renders /server-status unreachable, regardless of
>> what's in the htaccess. If we're going to block this by default, we
>> might as well just stop configuring it with SetHandler and then the
>> taint checking is not needed.
>>
>> We also have in another thread the issue with RewriteRule ... [P] in
>> htaccess being blocked.  We need some kind of way to express a policy
>> that will be unique to different handlers.
>
> bump? Right now the only two protected handlers are blocking pretty
> routine configurations.



--
Eric Covener
[hidden email]
Loading...