Received: (from majordom@localhost)
	by hyperreal.org (8.8.5/8.8.5) id XAA06088;
	Sat, 26 Jul 1997 23:13:38 -0700 (PDT)
Received: from valis.worldgate.com (marcs@valis.worldgate.com [198.161.84.2])
	by hyperreal.org (8.8.5/8.8.5) with ESMTP id XAA06076
	for <new-httpd@apache.org>; Sat, 26 Jul 1997 23:13:35 -0700 (PDT)
Received: from localhost (marcs@localhost)
	by valis.worldgate.com (8.8.5/8.8.5) with SMTP id AAA13523
	for <new-httpd@apache.org>; Sun, 27 Jul 1997 00:13:33 -0600 (MDT)
Date: Sun, 27 Jul 1997 00:13:33 -0600 (MDT)
From: Marc Slemko <marcs@worldgate.com>
To: new-httpd@apache.org
Subject: Re: [PATCH] mod_access overhaul
In-Reply-To: <Pine.LNX.3.95dg3.970726225629.5670A-100000@benchlark.arctic.org>
Message-ID: <Pine.BSF.3.95q.970727000816.24852R-100000@valis.worldgate.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

On Sat, 26 Jul 1997, Dean Gaudet wrote:

> This is an overhaul of mod_access.c's matching and syntax.  I was originally
> just going to implement the CIDR syntax like PR#762 wants.  But I went a
> bit further.  From my CHANGES note:
> 
> - Now understands network/netmask syntax (i.e.  10.1.0.0/255.255.0.0)
> and cidr syntax (i.e. 10.1.0.0/16).

But what about octal?  <g>

Does it work with 10.0.1.0/23?  10.0.254.0/22?  (yes, those are
pathological, but not as bad as non-contiguous subnets; hey, does it
support those?)

> - When used with hostnames it now forces a double-reverse lookup
> no matter what the directory settings are.  This double-reverse
> doesn't affect any of the other routines that use the remote
> hostname.  In particular it's still passed to CGIs and the log
> without the double-reverse check.

But if it had to be looked up, then it will still be passed to things
even if hostnamelookups are off, right?

Hmm.  That could break some things.  Picture a moron.  Picture him
writing a CGI script and not having a clue about anything, so
using REMOTE_HOST and turning off DNS lookups and expecting 
a numeric IP.  I'm not sure if I am woried about this or not.

> 
> I expect a little resistance to the last point ... but my argument is
> that it's a proactive attempt to avoid a CERT advisory.  As of 1.2 we
> no longer document MAXIMUM_DNS except in the FAQ... it used to be right
> in Configuration in front of your face.

No resistance.  I was going to do it myself when I got time.

> 
> Note that I still maintain MAXIMUM_DNS, if it's defined.
> 

How about expanding Hostnamelookups to allow for maximum_dns?