[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    Re: Proxying subrequests
From:       "Arturo 'Buanzo' Busleiman" <buanzo () buanzo ! com ! ar>
Date:       2007-10-29 14:34:17
Message-ID: 4725EF69.5030802 () buanzo ! com ! ar
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Jim Jagielski wrote:
> I tend to agree... This seems to open up a huge can
> of worms, and makes it v easy to people to use these "neat"
> feature and open themselves up to all kinds of
> nasty, nasty things.

If being properly documented, and disabled-by-default, and also ACL-limited (domain, path, dstip of
foreign server), then this is a useful feature. In any case, PHP can already do that. An apache
level equivalent is perfect in terms of performance, and consistency.

And, any case, security is not a software-provided, but software-aided I guess, feature. Yes,
clueless admins might be open to XSI attacks, but... PHP for instance, provides register_globals in
Off default. Knowledgeable admins still can enable it if they know (or believe to know) what they're
doing. Sounds pretty similar a discussion to me.


- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHJe9pAlpOsGhXcE0RCkDfAJ9rRg0z7DEl7kaP73+WZ1SRVFzoZQCdFmED
fCQY+V/qH6ye0Qwp3ole0uM=
=/XF4
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]