sankarNarayanan / modwsgi

Automatically exported from code.google.com/p/modwsgi
0 stars 0 forks source link

WSGIDaemonProcess group can be accessed from virtual host with same name when port differs. #134

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
When WSGIDaemonProcess is nested inside of a VirtualHost, it is supposed to 
only be able to be 
referenced by WSGIProcessGroup within that same virtual host.

At present the check for this only takes into consideration the server name for 
the virtual host 
and not the port. This means if hosting many sites on same server name but 
different ports, then 
possible to access daemon process assigned against a different port when it 
perhaps shouldn't 
be.

Check should thus include the port.

If it is necessary to have a daemon process group which is usable across 
different ports, then it 
should be defined outside of the virtual host.

Only exception to this may be for ports 80/443. But then, that creates a 
strange situation where 
WSGIDaemonProcess directive only appears on one VirtualHost and not obvious 
that 
WSGIProcessGroup in other would pick it up. Some more thought needed on how to 
manage 
this.

Original issue reported on code.google.com by Graham.Dumpleton@gmail.com on 27 Feb 2009 at 10:53

GoogleCodeExporter commented 8 years ago
Area of code that would need to change is:

    /*
     * Only allow the process group to match against a daemon
     * process defined within a virtual host with the same
     * server name or a daemon process defined at global server
     * scope.
     */

    if (group->server != r->server && group->server != wsgi_server) {
        if (strcmp(group->server->server_hostname,
                   r->server->server_hostname) != 0) {
            wsgi_log_script_error(r, apr_psprintf(r->pool, "Daemon "
                                  "process called '%s' cannot be "
                                  "accessed by this WSGI application",
                                  config->process_group), r->filename);

            return HTTP_INTERNAL_SERVER_ERROR;
        }
    }

Original comment by Graham.Dumpleton@gmail.com on 27 Feb 2009 at 11:00

GoogleCodeExporter commented 8 years ago
Not sure this restriction can actually be implemented. The VirtualHost 
directive syntax is:

  <VirtualHost addr[:port] [addr[:port]] ...> ... </VirtualHost>

Thus, it could be listening on multiple ports, or even all ports.

Original comment by Graham.Dumpleton@gmail.com on 4 Mar 2009 at 5:12

GoogleCodeExporter commented 8 years ago
Can't automatically do anything to make this more restrictive. Will just need 
to be clear in the documentation 
that one can reference between same named virtual hosts on different ports. 
This could be a problem if allowing 
users to select the process group. If this should not be allowed, 
WSGIRestrictProcess directive should be used to 
control what processes users can select.

Original comment by Graham.Dumpleton@gmail.com on 12 Mar 2009 at 5:38