Re: svn commit: r773881 - in /httpd/httpd/branches/2.2.x: CHANGES

Re: svn commit: r773881 - in /httpd/httpd/branches/2.2.x: CHANGES

am 22.05.2009 23:14:38 von Jeff Trawick

--000e0cd247d48a589e046a86bf96
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

On Fri, May 22, 2009 at 5:10 PM, William A. Rowe, Jr.
wrote:

> Jeff Trawick wrote:
> >
> > Backing up a bit...
> >
> > I originally thought we could map bit values in 2.2.x to avoid affecting
> > modules, but that isn't possible since includes-with-exec is two bits
> > instead of one.
>
> Hold on... I think this can still work;
>
> * Retain new true 'Includes' bit as old IncludesNoExec macro value
> Keep ancient Includes flag bit as 256, never true.
>
> - all httpd modules testing for including but not executing
> permission see the permission as allowed
>
> - old httpd modules testing for includes with exec permission
> see the permission as denied, until they update the module
>
> - httpd modules which force/override the includes without exec
> permission would still work
>
> - httpd modules which force/override the includes exec behavior
> would just fail to update anything (256 & 0xff == 00), so it
> becomes a noop until they update the module
>
> So it has no negative security consequences, still would require
> an update to the rare module, but lets us ship something without
> really nasty side effects.
>

I'll think harder about this once my latest proposal gets shot down ;)

--000e0cd247d48a589e046a86bf96
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable



On Fri, May 22, 2009 at 5:10 PM, William=
A. Rowe, Jr. <=
wrowe@rowe-clan.net> wrote:
te" style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt=
0.8ex; padding-left: 1ex;">
Jeff Trawick wrote:

>

> Backing up a bit...

>

> I originally thought we could map bit values in 2.2.x to avoid affecti=
ng

> modules, but that isn't possible since includes-with-exec is two b=
its

> instead of one.



Hold on... I think this can still work;



=A0* Retain new true 'Includes' bit as old IncludesNoExec macro va=
lue

=A0 =A0Keep ancient Includes flag bit as 256, never true.



=A0- all httpd modules testing for including but not executing

=A0 =A0permission see the permission as allowed



=A0- old httpd modules testing for includes with exec permission

=A0 =A0see the permission as denied, until they update the module



=A0- httpd modules which force/override the includes without exec

=A0 =A0permission would still work



=A0- httpd modules which force/override the includes exec behavior

=A0 =A0would just fail to update anything (256 & 0xff == 00), so i=
t

=A0 =A0becomes a noop until they update the module



So it has no negative security consequences, still would require

an update to the rare module, but lets us ship something without

really nasty side effects.


I'll think harder about this once my latest propo=
sal gets shot down ;)



--000e0cd247d48a589e046a86bf96--