trawick at gmail
Apr 21, 2012, 1:10 PM
Post #2 of 4
On Sat, Apr 21, 2012 at 3:48 PM, Stefan Fritsch <sf [at] sfritsch> wrote:
Re: New module mod_allowhandlers / Controlling script execution
[In reply to]
> there is the problem that if modules like mod_status or
> mod_proxy_balancer are loaded, all people with permissions to create
> .httaccess files can use the status pages by using SetHandler in an
> .htaccess file.
My 2 cents:
SetHandler shouldn't be used to enable these because it requires an
unnecessary filesystem walk and only requires a very small amount of
code to implement a flag directive. Having ServerStatus On|Off
anywhere in the configuration would disable the check for r->handler
== "status-handler" (migration).
Is the use of handler by these a feature though, such as needing to
let other modules generate these reports by some mechanism other than
using a subrequest for or redirecting to the location where it is
enabled? I don't know how smooth mod_allowhandler would be for that
There are other situations where mod_allowhandlers would be helpful,
but I think we could provide a simpler mechanism (flag) for the
several sensitive handlers in bundled modules.
> I had the idea to create a module like mod_allowmethods, but for
> handlers, that allows to restrict which handlers can be used in
> particular locations. The following config would e.g. prevent
> mod_userdir users from enabling the status pages in their home
> <Location />
> AllowHandlers not server-info server-status balancer-manager
> <Location /server-status>
> AllowHandlers all
> SetHandler server-status
> PoC implementation is at
> http://people.apache.org/~sf/mod_allowhandlers.c . Any objections
> against committing this to trunk?
> It does it checks at the end of the fixup hook. This catches all the
> common ways to set a handler, but of course it is possible that some
> modules may bypass that check (e.g. by changing the handler in an
> early handler hook). But IMHO this could be solved by documentation.
> The config syntax can probably be improved. Specifying a white-list is
> not that easy, because by default every file will have its mime-type
> as handler name. Maybe it needs some pattern or regex matching. Any
> better ideas?
> Another idea where this could be handy: To deny script execution in
> some directories. Currently one needs to have a bunch of RemoveHandler
> and RemoveType statements for various modules (e.g. application/x-
> httpd-php, lua-script). If AllowHandlers allowed to define list
> aliases, one could maybe disable them all with a simple command:
> AllowHandlers not SCRIPTING
> If every scripting module registered its active handler(s) with
> mod_allowhandlers, there would even be no need for defining the alias
> Or would it be a better idea to introduce a new "Options ExecScripts"
> flag and ask all scripting modules to honor that? Or just recommend
> that they use ExecCGI?
Born in Roswell... married an alien...