Apache security - list all possible handlers / actions
To ensure there aren't security weaknesses that can be exploited via .htaccess, how can we see all possible handlers that Apache can use via directives like SetHanlder
and AddHandler
.
I know I can find some by looking at the output of mod_info or grepping through conf files (which was an approach I found when trying to find an answer to this question), but that doesn't mean there aren't handlers available that aren't listed that way. I imagine I could download and search through all the source code of Apache and every module that's loaded and see what they are registering, but is there a better way?
A quick fix would be to not allow AddHandler and SetHandler in .htaccess, but that has its drawbacks. For example, Drupal has a valid use-case for the SetHandler directive as it uses it as part of defense in depth for preventing PHP scripts from running if someone somehow manages to upload them to the site through a file uploader.
Here are some examples of what I'm referring to:
AddHandler server-parsed .shtml
SetHandler server-info
AddHandler application/x-httpd-php5 .php
Here's Drupal's use case from sites/default/files/.htaccess if anyone's interested:
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
EDIT July 30, 2015: This is not an exhaustive answer, but in case it's helpful to anyone, I found some handlers listed at the top of http://httpd.apache.org/docs/2.4/handler.html and also read that custom handlers can be created by the Action directive (see http://httpd.apache.org/docs/2.4/mod/mod_actions.html#action).
EDIT Sept 1, 2015: I wonder if there's some way to dump the memory of an httpd process and find the handlers names in there. I tried this using gcore, but didn't have success (though I've never used that before and got a warning when doing it, so I'm not sure if I'm doing something wrong).
Solution 1:
Not possible, sorry. As per my statement on The Apache Modules Guide:
Thus, the server itself does not presume to know which module is responsible for handling a specific request, and will ask each module whether they have an interest in a given request or not. It is then up to each module to either gently decline serving a request, accept serving it or flat out deny the request from being served, as authentication/authorization modules do
It is all handled at request-time, as per the design, so you cannot traverse modules or otherwise figure this out. You have to read the source code of each module to learn about their handler names.
Your best bet is to make a module yourself that checks the handler currently set for a request against a set of accepted handler names, and changes it to default if not present in the list.
Solution 2:
I'm pretty sure there is no already-implemented way to return a list of existing actions, scripts, etc your handler could map requests to.
It might be possible to write an apache module that could return such information, but it'd take a bit of exploration of the apache code to even understand what's possible there.