I've revisited mod_taint this morning, and made some updates: a bugfix, a new option to apply an untainting rule to all headers. But topically, a canned configuration option to protect against shell-shock patterns:
LoadModule modules/mod_taint.so Untaint shellshock Untaint works in a directory context, so can be selectively enabled for potentially-vulnerable apps such as those involving CGI, SSI, ExtFilter, or (other) scripts. This goes through all Request headers, any PATH_INFO and QUERY_STRING, and (just to be paranoid) any other subprocess environment variables. It untaints them against a regexp that checks for "()" at the beginning of a variable, and returns an HTTP 400 error (Bad Request) if found. Feedback welcome, indeed solicited. I believe this is a simple but sensible approach to protecting potentially-vulnerable systems, but I'm open to contrary views. The exact details, including the shellshock regexp itself, could probably use some refinement. And of course, bug reports! Builds and runs with httpd 2.2 and 2.4. Very limited testing verifies that it catches a shellshock attack in a request header. http://people.apache.org/~niq/mod_taint.html Note: cross-posting, with followup-to set to dev@. If you're following up to report a critical bug, adding users@ will ensure widest exposure! -- Nick Kew --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
