From: Ivan Ristic <ivan.ristic@gm...> - 2009-10-27 08:45:47
I have this idea that ModSecurity should not use post_read for its
phase 1. Instead, phase 1 should use the same hook as phase 2. With
this change, users would be able to override configuration from a
<Location> or <Directory> container, removing the problem that has
been causing confusion for years. The only advantage of having phase 1
early is to allow for rules that are protecting Apache itself, but I
am yet to see a single such rule. Besides, we can still keep one such
early phase (although we'd better move to using names for phases,
instead of numbers).
Security assessment of your SSL servers
Get latest updates about Open Source Projects, Conferences and News.