On 15 May 2011, at 3:18 PM, Stefan Fritsch wrote:
Maybe the -A option was a bad example, then, because it allows only
access to resources that can be viewed directly, too. But ap_expr
would allow things like
<!--#if expr="file('/etc/passwd') =~ /.../" >
This only allows to leak one bit of the file contents per request,
but if used often enough, it could be used to reconstruct the whole
file. For .htaccess, this is not a new problem (see SSLRequire), but
for shtml files, it would be.
Hmmm...
In the mod_include case, having file() without having the file going
through the normal httpd subrequest mechanism to determine whether the
user has access to the file is indeed a security problem. The simplest
would be to perhaps define a "restricted mode" for ap_expr, which
disallowed certain dangerous functions.
You would enable restricted mode if you were parsing shtml,
or .htaccess, but leave restricted mode disabled otherwise. Does that
sound sensible?
Regards,
Graham
--