From: Joe Orton Date: Fri, 15 May 2026 10:26:37 +0000 (+0000) Subject: Add initial draft of a security model. X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=b5ad35bc7a16e25e4c7e99a2eb739d77cef052c7;p=thirdparty%2Fapache%2Fhttpd.git Add initial draft of a security model. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1934213 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/SECURITY.md b/SECURITY.md index 325c5d9c54..d0bd1bfee7 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,15 +1,126 @@ -# Security Policy + +# Apache httpd Security Policy + +This document is an overview of the security model for Apache +httpd. Security vulnerabilities reported to the project need to +demonstrate how an attacker can violate the security model. ## Supported Versions Currently the only supported version is the latest patch release of the -2.4.x stable branch. +`2.4.x` stable branch. Vulnerabilities which exist *only* in +unreleased branches (such as `trunk`) may be treated as normal bug +reports. -## Security Updates +## Reporting Vulnerabilities -[Apache 2.4 Security Vulnerabilities](http://httpd.apache.org/security/vulnerabilities_24.html) +For information on how to report a new security problem please see +[here](http://httpd.apache.org/security_report.html). The process of +reporting and handling vulnerabilities is out of scope for this +document. -## Reporting a Vulnerability +For a list of already-addressed vulnerabilities, see [Apache 2.4 Security +Vulnerabilities](http://httpd.apache.org/security/vulnerabilities_24.html) -For information on how to report a new security problem please see -[here](http://httpd.apache.org/security_report.html) +## Model scope + +If an issue is reported against an aspect of the security model which +is not documented here, it MUST be accompanied by a clear description +of that aspect the model, showing why a trust boundary exists and how +it is violated. It is helpful to use references to documentation +and/or demonstrate common usage patterns. + +Any security vulnerability SHOULD be reproducible: + +1. under a reasonable, supported configuration. +2. without using third-party modules, or modules explicitly designed + for debugging. +3. under a standard build on a supported platform. + +Issues which are reproducible only using instrumented builds (such as +ASAN, or under valgrind) should be clearly explained as such. + +## Basic model + +Processing of requests by remote untrusted users (HTTP clients) MUST +NOT crash or prematurely terminate server processes, nor gain code +execution privileges. In the default configuration, timeouts are +applied to most aspects of HTTP request handling such that a single +client SHOULD NOT tie up a single processing thread or process +indefinitely. + +It is the responsibility of the server administrator to tune and +configure httpd appropriately to the operating environment, for +example adjusting MPM limits (see +https://httpd.apache.org/docs/trunk/misc/security_tips.html). + +Denial of service attacks are expected to be mitigated at firewall or +network level. It is expected that an attacker who is able to +establish multiple simultaneous connections to the server will, to +some extent, deny service to other remote users. + +Example vulnerabilities which violated the model: CVE-2026-23918, +CVE-2004-0786. + +## Resource Consumption + +Handling requests entails resource consumption (CPU, memory, disk +space for logs, etc). It is expected that resource consumption by the +server is at worst proportional to the volume of network traffic. + +Memory consumption by a single request should be capped, with +configurable limits; e.g. LimitRequestFields limits the RAM +consumption by HTTP headers, LimitXMLRequestBody limits the RAM +consumption by parsing XML request documents. + +Example vulnerabilities which violated the model: CVE-2004-0942 + +## Privilege separation on Unix platforms + +On Unix platforms, when httpd is started as the root user, privilege +separation is used between the parent process which retains root +privileges, and child processes (and threads). Child processes/threads +run as a less-privileged user and group which is configurable via the +`mod_unixd` module, https://httpd.apache.org/docs/2.4/mod/mod_unixd.html + +The less-privileged user: + +* cannot obtain root privileges, +* cannot read or truncate log files, +* retains access to e.g. any private TLS key data loaded in memory. + +Use of platform-specific sandboxing or security features (such as use +of containers, chroot, SELinux) are out of scope for this security +model. + +Example vulnerabilities which violated the model: CVE-2007-3304, +CVE-2012-0031. + +## Delegated Configuration + +Server configuration can be delegated to trusted local site authors by +allowing use of .htaccess files in non-default configurations. Local +site authors are trusted to not attack the server with malformed or +malicious .htaccess files (for example, files of excessive size). + +In configurations supporting in-process scripting language interpreters +which are not sandboxed, such as `mod_lua` or `mod_php`, local site +authors have equivalent privileges to the less-privileged server user. + +(### TODO something about AllowOverride) + +## Dependent Services + +Many configurations depend on backend servers or services which are +trusted entities. + +* Backend servers accessed in a proxy configuration should not be able + to influence HTTP protocol framing logic in the frontend (client) + ("response splitting" attacks). + +* Services used for authentication or caching privileged/protected + data (Redis/Valkey caches, database or LDAP servers) are trusted not + to attack the web server. + +Example vulnerabilities which violated the model: CVE-2026-33523, +CVE-2024-42516.