From owner-freebsd-ports@FreeBSD.ORG Sat Apr 30 05:26:24 2005 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F93A16A4CE for ; Sat, 30 Apr 2005 05:26:24 +0000 (GMT) Received: from outbound0.sv.meer.net (outbound0.sv.meer.net [205.217.152.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19AFB43D53 for ; Sat, 30 Apr 2005 05:26:24 +0000 (GMT) (envelope-from jrhett@mail.meer.net) Received: from mail.meer.net (mail.meer.net [209.157.152.14]) j3U5QHqL010016; Fri, 29 Apr 2005 22:26:17 -0700 (PDT) (envelope-from jrhett@mail.meer.net) Received: from mail.meer.net (localhost [127.0.0.1]) by mail.meer.net (8.12.1/8.12.10/meer) with ESMTP id j3U5QG7s011325; Fri, 29 Apr 2005 22:26:16 -0700 (PDT) (envelope-from jrhett@mail.meer.net) Received: (from jrhett@localhost) by mail.meer.net (8.12.1/8.12.10) id j3U5QFUD011324; Fri, 29 Apr 2005 22:26:15 -0700 (PDT) (envelope-from jrhett) Date: Fri, 29 Apr 2005 22:26:15 -0700 From: Joe Rhett To: Scot Hetzel Message-ID: <20050430052615.GA8066@meer.net> References: <892CC2C451D0414B90159D10B5BDAA65AB2234@EXCHANGE.astate.edu> <20050207202417.GB37923@meer.net> <20050208004233.GA84236@xor.obsecurity.org> <790a9fff050208142045266974@mail.gmail.com> <20050224203342.GH49530@meer.net> <790a9fff05022414531dd27600@mail.gmail.com> <20050422183816.GB45992@meer.net> <790a9fff05042213306b502f1b@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <790a9fff05042213306b502f1b@mail.gmail.com> User-Agent: Mutt/1.4i Organization: Meer.net LLC cc: ports@freebsd.org cc: Todd Reed Subject: Re: FreeBSD Port: frontpage-5.0.2.2623_1 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Apr 2005 05:26:24 -0000 On Fri, Apr 22, 2005 at 03:30:06PM -0500, Scot Hetzel wrote: > The one difference that I know of between these two mod_frontpage > ports, is that Improved mod_frontpage checks to see if we have been > authenticated for the ADMIN and ADMINCGI urls. When I added these > checks to the RTR version (change FrontPageAlias to FrontPageNeedAuth > for the ADMIN and ADMINCGI checks in the mod_frontpage.c patches), the > mod_frontpage module was checking for authentication before the Apache > 2.0 server requested authentication. Actually, it's asking for authentication for things that apache doesn't ask for authentication on. This was broken by pathname changes in the rtr-compiled versions of frontpage. See my patches regarding this. > What other significant security enhancements does Improved mod_frontpage have? improved mod_frontpage has all of the security checks that are applied to CGIs. Last time I saw the rtr frontpage module, it was fairly easy to make it run things it shouldn't have if someone left directory permissions too loose. I haven't compared them side by side in a while, and perhaps I should do that before speaking further. -- Joe Rhett senior geek meer.net