diff options
author | Philip M. Gollucci <pgollucci@apache.org> | 2008-12-10 19:18:59 +0000 |
---|---|---|
committer | Philip M. Gollucci <pgollucci@apache.org> | 2008-12-10 19:18:59 +0000 |
commit | a736c6c16d509d8489c4bd39333cfdecb61a932c (patch) | |
tree | 5fdcd8a19c5a8e64fc479e20d67020d3746b6da0 | |
parent | 1ddd51491ff30d5c92cafcd115bfc33cd47201fc (diff) | |
parent | a550230f1a158ec82f519b3ddf3d29dcf5d8d0d2 (diff) | |
download | httpd-apreq-integration.tar.gz |
sync with trunk before I start mucking in the waters themselvesapreq-integration
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/apreq-integration@725390 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | docs/manual/mod/mod_heartbeat.xml | 47 | ||||
-rw-r--r-- | docs/manual/mod/mod_heartmonitor.xml | 59 | ||||
-rw-r--r-- | docs/manual/mod/mod_lbmethod_heartbeat.xml | 52 | ||||
-rw-r--r-- | docs/manual/mod/mod_negotiation.xml.ja | 6 | ||||
-rw-r--r-- | docs/manual/mod/mod_privileges.xml | 86 | ||||
-rw-r--r-- | modules/http/http_request.c | 21 |
6 files changed, 256 insertions, 15 deletions
diff --git a/docs/manual/mod/mod_heartbeat.xml b/docs/manual/mod/mod_heartbeat.xml new file mode 100644 index 0000000000..3a488d0879 --- /dev/null +++ b/docs/manual/mod/mod_heartbeat.xml @@ -0,0 +1,47 @@ +<?xml version="1.0"?> +<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd"> +<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?> +<!-- $LastChangedRevision$ --> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<modulesynopsis metafile="mod_heartbeat.xml.meta"> + +<name>mod_heartbeat</name> +<description></description> +<status>Extension</status> +<sourcefile>mod_heartbeat.c</sourcefile> +<identifier>heartbeat_module</identifier> +<compatibility>Available in 2.3 and later</compatibility> + +<summary> + <note><!-- FIXME: -->This document is still under development.</note> +</summary> + +<directivesynopsis> +<name>HeartbeatAddress</name> +<description>Address to send heartbeat requests</description> +<syntax></syntax> +<contextlist><context>server config</context></contextlist> + +<usage> + <note><!-- FIXME: -->This document is still under development.</note> +</usage> +</directivesynopsis> + +</modulesynopsis> diff --git a/docs/manual/mod/mod_heartmonitor.xml b/docs/manual/mod/mod_heartmonitor.xml new file mode 100644 index 0000000000..a0c81ded66 --- /dev/null +++ b/docs/manual/mod/mod_heartmonitor.xml @@ -0,0 +1,59 @@ +<?xml version="1.0"?> +<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd"> +<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?> +<!-- $LastChangedRevision$ --> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<modulesynopsis metafile="mod_heartmonitor.xml.meta"> + +<name>mod_heartmonitor</name> +<description></description> +<status>Extension</status> +<sourcefile>mod_heartmonitor.c</sourcefile> +<identifier>heartmonitor_module</identifier> +<compatibility>Available in 2.3 and later</compatibility> + +<summary> + <note><!-- FIXME: -->This document is still under development.</note> +</summary> + +<directivesynopsis> +<name>HeartbeatListen</name> +<description>Address to listen for heartbeat requests</description> +<syntax></syntax> +<contextlist><context>server config</context></contextlist> + +<usage> + <note><!-- FIXME: -->This document is still under development.</note> +</usage> +</directivesynopsis> + +<directivesynopsis> +<name>HeartbeatStorage</name> +<description>Path to store heartbeat data</description> +<syntax>HeartbeatStorage <var>file-path</var></syntax> +<default>HeartbeatStorage logs/hb.dat</default> +<contextlist><context>server config</context></contextlist> + +<usage> + <note><!-- FIXME: -->This document is still under development.</note> +</usage> +</directivesynopsis> + +</modulesynopsis> diff --git a/docs/manual/mod/mod_lbmethod_heartbeat.xml b/docs/manual/mod/mod_lbmethod_heartbeat.xml new file mode 100644 index 0000000000..71eaf16624 --- /dev/null +++ b/docs/manual/mod/mod_lbmethod_heartbeat.xml @@ -0,0 +1,52 @@ +<?xml version="1.0"?> +<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd"> +<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?> +<!-- $LastChangedRevision$ --> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<modulesynopsis metafile="mod_lbmethod_heartbeat.xml.meta"> + +<name>mod_lbmethod_heartbeat</name> +<description><!-- FIXME: --> This document is still under development.</description> +<status>Extension</status> +<sourcefile>mod_lbmethod_heartbeat.c</sourcefile> +<identifier>lbmethod_heartbeat_module</identifier> +<compatibility>Available in version 2.3 and later</compatibility> + +<summary> + <note><!-- FIXME: --> This document is still under development.</note> +</summary> +<seealso><module>mod_proxy</module></seealso> +<seealso><module>mod_proxy_balancer</module></seealso> +<seealso><module>mod_heartbeat</module></seealso> +<seealso><module>mod_heartmonitor</module></seealso> + +<directivesynopsis> +<name>HeartbeatStorage</name> +<description>Path to read heartbeat data</description> +<syntax>HeartbeatStorage <var>file-path</var></syntax> +<default>HeartbeatStorage logs/hb.dat</default> +<contextlist><context>server config</context></contextlist> + +<usage> + <note><!-- FIXME: -->This document is still under development.</note> +</usage> +</directivesynopsis> + +</modulesynopsis> diff --git a/docs/manual/mod/mod_negotiation.xml.ja b/docs/manual/mod/mod_negotiation.xml.ja index 56a50d93a0..8340670c38 100644 --- a/docs/manual/mod/mod_negotiation.xml.ja +++ b/docs/manual/mod/mod_negotiation.xml.ja @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd"> <?xml-stylesheet type="text/xsl" href="../style/manual.ja.xsl"?> -<!-- English Revision: 151408:420990 (outdated) --> +<!-- English Revision: 420990 --> <!-- Licensed to the Apache Software Foundation (ASF) under one or more @@ -84,8 +84,8 @@ このヘッダがない場合、ファイルの実際の長さが使用されます。</dd> <dt><code>Content-Type:</code></dt> - <dd>ドキュメントの MIME - メディアタイプ、オプショナルなパラメータ付き。パラメータの構文は + <dd>ドキュメントの <glossary ref="mime-type">MIME + メディアタイプ</glossary>、オプショナルなパラメータ付き。パラメータの構文は <code>name=value</code> で、メディアタイプや他のパラメータとはセミコロンで分離されます。 共通のパラメータは以下のとおり: diff --git a/docs/manual/mod/mod_privileges.xml b/docs/manual/mod/mod_privileges.xml index b6d141d30d..f63fb07573 100644 --- a/docs/manual/mod/mod_privileges.xml +++ b/docs/manual/mod/mod_privileges.xml @@ -58,6 +58,92 @@ separation is an issue.</p> </summary> +<section id="security"><title>Security Considerations</title> +<p>There are three principal security concerns with mod_privileges:</p> +<ul><li>Running as a system user introduces the same security issues + as mod_suexec, and near-equivalents such as cgiwrap and suphp.</li> +<li>A privileges-aware malicious user extension (module or script) + could escalate its privileges to anything available to the + httpd process in any virtual host.</li> +<li>A privileges-aware malicious user extension (module or script) + could escalate privileges to set its user ID to another + system user (and/or group).</li> +</ul> + +<p>The first is amply discussed in the suexec page and elsewhere, and +doesn't need repeating here. The second and third boil down to one +principle: ensure no untrusted privileges-aware code can be loaded. +</p> + +<p>There are several ways privileges-aware code could be loaded into Apache:</p> +<ul> +<li>within the base system (e.g. mod_privileges itself if statically linked).</li> +<li>Loaded at startup using a LoadModule or LoadFile directive.</li> +<li>Loaded at startup indirectly by an application module such as mod_php.</li> +<li>Loaded at runtime by an application module or script.</li> +</ul> + +<p>What gets loaded at startup is under the control of the sysop, and +relatively easy to deal with. A tool will be provided to audit your +installation. That leaves code loaded in the course of processing a +request as the threat. There is unfortunately no generic way apache +can control what a script running under an application module can load, +so you should use the security provided by your scripting module +and language.</p> + +<section><title>Security with mod_php</title> + +<p>There is no known PHP extension supporting Solaris privileges, so it +is unlikely that a script could escalate privileges unless it can +load external (non-PHP) privileges-aware code. However, you should +nevertheless audit your mod_php installation.</p> + +<p>To prevent scripts loading privileges-aware code, PHP's dl() function +should be disabled. This is automatic in safe mode.</p> + +</section> + +<section><title>Security with mod_perl</title> + +<p>Perl has an extension Sun::Solaris::Privileges that exposes the privileges +API to scripts. You should ensure this extension is NOT installed if you +have untrusted users.</p> + +<p>You will also need to ensure that your users cannot load shared objects +(including PerlXS) from their own user directories, or that if this is +enabled, the entire user-space must be carefully audited.</p> +</section> + +<section><title>Security with mod_python</title> + +<p>There is no known Python extension supporting Solaris privileges, so it +is unlikely that a script could escalate privileges unless it can +load external (non-Python) privileges-aware code. However, you should +nevertheless audit your mod_ruby installation.</p> + +<p>*** What are the issues of Python loading a shared object?</p> +</section> + +<section><title>Security with mod_ruby</title> + +<p>There is no known Ruby extension supporting Solaris privileges, so it +is unlikely that a script could escalate privileges unless it can +load external (non-Ruby) privileges-aware code. However, you should +nevertheless audit your mod_ruby installation.</p> + +<p>*** What are the issues of Ruby loading a shared object?</p> +</section> + +<section><title>Security with Lua/mod_wombat</title> + +<p>???</p> +</section> +<section><title>Security with scripts</title> +<p>The security issues of mod_privileges do not affect scripts such as +traditional CGI, which run in a separate process. That includes +PHP, Perl, Python, Ruby, etc, run out-of-process.</p> +</section> +</section> <directivesynopsis> <name>VHostUser</name> <description>Sets the User ID under which a virtual host runs.</description> diff --git a/modules/http/http_request.c b/modules/http/http_request.c index fed313bee9..4da05d2ba0 100644 --- a/modules/http/http_request.c +++ b/modules/http/http_request.c @@ -518,6 +518,15 @@ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *rr, request_rec *r) r->output_filters = rr->output_filters; r->input_filters = rr->input_filters; + /* If any filters pointed at the now-defunct rr, we must point them + * at our "new" instance of r. In particular, some of rr's structures + * will now be bogus (say rr->headers_out). If a filter tried to modify + * their f->r structure when it is pointing to rr, the real request_rec + * will not get updated. Fix that here. + */ + update_r_in_filters(r->input_filters, rr, r); + update_r_in_filters(r->output_filters, rr, r); + if (r->main) { ap_add_output_filter_handle(ap_subreq_core_filter_handle, NULL, r, r->connection); @@ -541,20 +550,8 @@ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *rr, request_rec *r) } if (next && (next->frec == ap_subreq_core_filter_handle)) { ap_remove_output_filter(next); - if (next == r->output_filters) { - r->output_filters = r->output_filters->next; - } } } - - /* If any filters pointed at the now-defunct rr, we must point them - * at our "new" instance of r. In particular, some of rr's structures - * will now be bogus (say rr->headers_out). If a filter tried to modify - * their f->r structure when it is pointing to rr, the real request_rec - * will not get updated. Fix that here. - */ - update_r_in_filters(r->input_filters, rr, r); - update_r_in_filters(r->output_filters, rr, r); } AP_DECLARE(void) ap_internal_redirect(const char *new_uri, request_rec *r) |