On Fri, Sep 20, 2013 at 4:31 PM, Benjamin Coddington <bcodd...@uvm.edu>wrote:
> Hello everyone, > > We're looking at moving our shared hosting execution behind mod_fcgid and > suexec, but we need to continue to allow our users .htaccess 'Files' > overrides. The current mod_fcgid allows users to execute arbitrary > commands by configuring the FcgidAccessChecker, FcgidAuthenticator, > FcgidAuthorizer, and FcgidWrapper directives within .htaccess files. > > - https://issues.apache.org/bugzilla/show_bug.cgi?id=49220 > > I've approached a fix by creating a directive that would disable the > application of those directives within .htaccess files if set; that patch > has been submitted to the httpd bug 49220. > > You might shrewdly wonder "how can this matter - this is cgi after all, > we're just going to try to exec the resulting file!", but we're able to get > away from that by disabling ExecCGI globally and setting it per-request in > separate module which also ensures the request is mapped to our specific > FcgidWrapper. > > I see mod_fcgid 2.3.8 is closing in a few days; any chance to sneak this > in? Thanks for your time and consideration. > > Ben I'd like to see this aligned with 2.4's AllowOverrideList as much as practical, but AllowOverrideList is more flexible and I haven't yet looked at what changes to the patch would be necessary. The feature should be disabled when building for 2.4/trunk since those server versions already have an appropriate feature. It would be nice if the only change when moving between server versions is "FcgidAllowOverrideList"<->"AllowOverrideList". I'll look more in the next day. -- Born in Roswell... married an alien... http://emptyhammock.com/
