mod_xsendfile icon indicating copy to clipboard operation
mod_xsendfile copied to clipboard

Published 20 hours ago verified publisher icon nmaier

Add request (input) header for output handler

Open jtfrey opened this issue 8 years ago • 5 comments

If mod_xsendfile is enabled on a request the X-SENDFILE-IS-ENABLED header is added to the request (input) headers so that the output handler knows X-Sendfile is supported on the request output.

Updated the docs accordingly.

jtfrey avatar Sep 26 '16 15:09 jtfrey

lgtm in general.

I am pondering right now if it would be better to have the header value state it is mod_xsendfile and what version (kind of a user-agent string) instead of just 1. That way the backend could detect it's mod_xsendfile (and a particular version to work around quirks) that is enabled. Checking just for the header to be present would still be the same. And as far as information leaks... If an attacker really controls the backend, and mod_xsendfile had some kind of vulnerability they could exploit... Then they still would try even if mod_xsendfile did not announce it's version so "leaking" the version to the backend like this has still would be no gain for an attacker.

Anything I am missing?

nmaier avatar Sep 26 '16 16:09 nmaier

I am pondering right now if it would be better to have the header value state it is mod_xsendfile and what version (kind of a user-agent string) instead of just 1. That way the backend could detect it's mod_xsendfile (and a particular version to work around quirks) that is enabled. Checking just for the header to be present would still be the same.

That seems like a good idea. Since the version doesn't appear in any other strings, I'm leaning toward:

#define AP_XSENDFILE_IS_ENABLED_HEADER "X-SENDFILE-IS-ENABLED" #ifndef AP_XSENDFILE_IS_ENABLED_HEADER_VALUE #define AP_XSENDFILE_IS_ENABLED_HEADER_VALUE "mod_xsendfile/1.0" #endif

And as far as information leaks... If an attacker really controls the backend, and mod_xsendfile had some kind of vulnerability they could exploit... Then they still would try even if mod_xsendfile did not announce it's version so "leaking" the version to the backend like this has still would be no gain for an attacker.

Correct.

Working on your requested alterations right now, should have a commit pushed shortly.

jtfrey avatar Sep 26 '16 16:09 jtfrey

Sounds good re:version string... Or maybe make it AP_XSENDFILE_VERSION "1.0" and then "mod_xsendfile/" AP_XSENDFILE_VERSION

nmaier avatar Sep 26 '16 16:09 nmaier

Requested changes pushed to my fork

jtfrey avatar Sep 26 '16 17:09 jtfrey

hey folks. it would be great to get this pull merged. folks relying on mod_xsendfile are starting to get push back because it's "no longer actively maintained".

https://serverfault.com/questions/879130/is-mod-xsendfile-deprecated/

zee0 avatar May 31 '18 14:05 zee0