Allow members to set the safe NoDecode mode instead of unequivocally
rejecting URLs with encoded slashes. "On" is not supported because we do
not want to allow encoded urls to access arbitrary directories (not sure
if it's paranoia, but the apache docs discourage it).
https://bugzilla.hcoop.net/show_bug.cgi?id=1220
https://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes
extern type file_extension;
extern val cgiExtension : file_extension -> [^Vhost];
{{Ask for all files ending in a particular extension to be executed as CGI.}}
extern type file_extension;
extern val cgiExtension : file_extension -> [^Vhost];
{{Ask for all files ending in a particular extension to be executed as CGI.}}
+
+extern val allowEncodedSlashes : bool -> [Vhost];
+{{Enable or disable <a href="https://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes">encoded lashes</a>. Default is false, true sets <code>NoDecode</code>, full decoding is insecure and unsupported.}}
\ No newline at end of file
Domain.Extension {extension = "vhost_ssl",
heading = fn host => "SSL web vhost " ^ host ^ ":"}])
Domain.Extension {extension = "vhost_ssl",
heading = fn host => "SSL web vhost " ^ host ^ ":"}])
+val () = Env.action_one "allowEncodedSlashes"
+ ("enable", Env.bool)
+ (fn enable => (write "\tAllowEncodedSlashes ";
+ write (if enable then "NoDecode" else "Off");
+ write "\n"))
val () = Env.action_none "testNoHtaccess"
(fn path => write "\tAllowOverride None\n")
val () = Env.action_none "testNoHtaccess"
(fn path => write "\tAllowOverride None\n")
HCoop / hcoop / domtool2.git / commitdiff