httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: Agenda for 1.2b7
Date Sat, 01 Feb 1997 22:55:06 GMT
On Sat, 1 Feb 1997, Marc Slemko wrote:
>   * In your security tips, you use the invalid
>     directive <Directory>.  It used to be (correctly)
>     <Directory />.  But I would suggest that it isn't
>     paranoid enough, anyway, as PUT shouldn't be
>     allowed for arbitrary directories. [Nick Maclaren <nmm1@cus.cam.ac.uk>]

It might be better to suggest something like this:

    # default is to deny everything to the entire filesystem
    <Directory />
    AllowOverride None
    Options SymLinksIfOwnerMatch
    order deny,allow
    deny from all
    </Directory>

    # now allow appropriate access to the areas we want
    <Directory /home/www/cgi-bin>
    AllowOverride None
    Options ExecCGI
    order allow,deny
    allow from all
    </Directory>

    <Directory /home/www/docroot>
    Options Includes Indexes ExecCGI SymLinksIfOwnerMatch MultiViews
    AllowOverride None
    order allow,deny
    allow from all
    </Directory>

    <Directory /home/www/icons>
    order allow,deny
    allow from all
    </Directory>

    <Directory /home/*/public_html>
    Options Indexes ExecCGI SymLinksIfOwnerMatch MultiViews
    AllowOverride None
    order allow,deny
    allow from all
    </Directory>

>   * 64-bit issues; general cleanup, ap_snprintf("%d", (int)-1) giving
>     wrong behavior on Alpha boxes.

I've forgotten what the wrong behaviour was... could someone refresh my
memory?

>   * Improvements in chunked performance by reducing buffer count sent
>        Status: no patch; Dean may do

I'm not at all happy with what I've got in progress on this one, it's
getting far too complicated; such that I won't feel good about putting it
in this late.  Unless I have a flash of inspiration today I'm going to
submit a patch which uses writev() to improve write_it_all(); and we'll
have to live with the remaining bflush() caused by turning chunked on
and off.

>   * new header_parse API hook is called too often
>        Status: RobH posted patch, had second thoughts.  He
>        suggests that mod_browser be optimised by detecting if it has been
>        called already and returning early if it has.

I'd +1 such a patch to mod_browser.  Wouldn't it be just a matter of
testing r->main ?

Dean


Mime
View raw message