On Jan 25, 2008 7:55 PM, Akins, Brian <[EMAIL PROTECTED]> wrote: > I started to play with xsendfile more. I noticed the mod_xsendfile floating > around tried to basically replace what the default handler does very well. > > Basically, my version does a subrequest for the file. This allows things > like "Deny from all", etc, to work. This should be more secure, ie, if you > set your deny's correctly, you can't "X-Sendfile: /etc/passwd". All in all, > it seems more "httpd"-like, to me.
I am not very familiar with X-Sendfile (as in: I read about it but never used it), but it sounds like it's breaking the FastCGI security model. The FastCGI process is likely to be running under a different account, but here we have a facility that allows that other process to use the privileges of the Apache user to fetch a file. I can see how this feature could easily find its way to the list of small tricks that can be used to compromise a web server installation, one step at a time. > It is very rough. I do not understand brigades enough to know why it is > chunking every reply in my tests. I have tested with just a normal cgi > setting the header. > > Not well tested. I'd like to see us work toward getting X-sendfile into the > normal httpd distribution (along with mod_fcgid...) > > > -- > Brian Akins > Chief Operations Engineer > Turner Digital Media Technologies > > -- Ivan Ristic
