httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject [users@httpd] Proposed simple shell-shock protection
Date Fri, 26 Sep 2014 14:41:43 GMT
I've revisited mod_taint this morning, and made some updates:
a bugfix, a new option to apply an untainting rule to all headers.
But topically, a canned configuration option to protect
against shell-shock patterns:

  LoadModule modules/
  Untaint shellshock

Untaint works in a directory context, so can be
selectively enabled for potentially-vulnerable apps
such as those involving CGI, SSI, ExtFilter,
or (other) scripts.

This goes through all Request headers, any PATH_INFO
and QUERY_STRING, and (just to be paranoid) any
other subprocess environment variables.  It untaints
them against a regexp that checks for "()" at the
beginning of a variable, and returns an HTTP 400 error
(Bad Request) if found.

Feedback welcome, indeed solicited.  I believe this
is a simple but sensible approach to protecting
potentially-vulnerable systems, but I'm open to
contrary views.  The exact details, including the
shellshock regexp itself, could probably use some
refinement.  And of course, bug reports!

Builds and runs with httpd 2.2 and 2.4.  Very limited
testing verifies that it catches a shellshock attack
in a request header.

Note: cross-posting, with followup-to set to dev@.
If you're following up to report a critical bug,
adding users@ will ensure widest exposure!

Nick Kew

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message