Sorry, missed it at the time, but this is nonsense: > remove r1792169 taint checks from proxy and status modules > > Both of these checks are problematic without further work. > > status: even a .htaccess with no SetHandler blocks the handler.
The status handler doesn't live in the filesystem. If it's correctly configured, the filesystem won't be visited, so of course no .htaccess will be processed. > proxy: RewriteRule ... ... [P] in htaccess is blocked. As it should be: for .htaccess to run resources outside its own directories is a long-standing design bug, and leads to security issues. Discussed with reference to mod_proxy and mod_status in, for example https://mail-search.apache.org/members/private-arch/httpd-security/201701.mbox/%3c63b4f81e-f742-563c-d4e4-99c4a50a7...@gmail.com%3E https://mail-search.apache.org/members/private-arch/httpd-security/201701.mbox/%3CCALK=yjn55j31eyfmle1bvtgy-9--9ftk2yfjzsumrlql+dk...@mail.gmail.com%3E https://mail-search.apache.org/members/private-arch/httpd-security/201701.mbox/%3c6e96a31c-c4f8-36b8-ea94-8f77a2680...@gmail.com%3E https://mail-search.apache.org/members/private-arch/httpd-security/201701.mbox/%3CCALK=yjnwr3cncercis4icqvs_wmj-exvddxlsntrplp5qoh...@mail.gmail.com%3E Leading to the patch committed in r1792169: > This is for trunk. I'd be more cautious about 2.4 (or 2.2) > because it could break screwed-up-but-not-dangerous configs > in production by refusing unexpectedly to run. For those > I'd suggest moving the check from proxy_handler into scheme > handlers. > > Comments? https://mail-search.apache.org/members/private-arch/httpd-security/201702.mbox/%3c20170208154128.69d12...@bifrost.webthing.com%3E (discussion was originally on security@, but it was suggested and the reporter agreed that it could be brought to dev@). -- Nick Kew