[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-dev
Subject: Re: Proxying subrequests
From: "Arturo 'Buanzo' Busleiman" <buanzo () buanzo ! com ! ar>
Date: 2007-10-29 14:34:17
Message-ID: 4725EF69.5030802 () buanzo ! com ! ar
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Jim Jagielski wrote:
> I tend to agree... This seems to open up a huge can
> of worms, and makes it v easy to people to use these "neat"
> feature and open themselves up to all kinds of
> nasty, nasty things.
If being properly documented, and disabled-by-default, and also ACL-limited (domain, path, dstip of
foreign server), then this is a useful feature. In any case, PHP can already do that. An apache
level equivalent is perfect in terms of performance, and consistency.
And, any case, security is not a software-provided, but software-aided I guess, feature. Yes,
clueless admins might be open to XSI attacks, but... PHP for instance, provides register_globals in
Off default. Knowledgeable admins still can enable it if they know (or believe to know) what they're
doing. Sounds pretty similar a discussion to me.
- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHJe9pAlpOsGhXcE0RCkDfAJ9rRg0z7DEl7kaP73+WZ1SRVFzoZQCdFmED
fCQY+V/qH6ye0Qwp3ole0uM=
=/XF4
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic