Better Solutions
Fortunately there are better solutions available:
- mod_line_edit, mod_substitute or mod_sed can be used as an exact equivalent to mod_ext_filter+sed, but at a tiny fraction of the performance overhead. It can also be configured to generalise better.
- For HTML pages, markup-aware filters can do the job more intelligently, again at a much-reduced overhead compared to mod_ext_filter.
In fairness to Barnett, things have changed since he wrote his book. mod_line_edit was published in December 2005, just three months before Barnett's book, while the other modules came later. Several markup-aware modules that'll do the job are older (going back to 2003), but none of them was intended nor advertised as a security aid.
So, let's look at how we can improve on Barnett's solution to information disclosure. First, we just replace Barnett's solution with mod_line_edit:
SetEnv LineEdit "text/html"
LERewriteRule <!--.*--> ""
<LocationMatch /cgi-bin/wm*>
SetOutputFilter line-editor
</LocationMatch>
Right. That helps with performance. To implement Barnett's other fixes, we introduce two more LERewriteRules, which mod_line_edit applies in a single, efficient parse. We've eliminated three external program calls (in effect, three times the "CGI Overhead"), and reduced the number of times we parse the document from three to one.
Fixing the regexp is easy: for example, <!--.*?--> works. That leaves us with multi-line comments to deal with. mod_line_edit can do that too: with
LELineEnd NONE
it will slurp the whole document into memory before parsing (a significant performance overhead for large responses, but vastly better than an ext_filter). Or, with
LELineEnd CUSTOM >
it will treat > as "line end", so that comments will be parsed whole (provided no literal > appears within a comment).
