httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [PATCH] modify httpd.conf-dist defaults
Date Wed, 25 Jun 2003 00:08:22 GMT
On Tue, 24 Jun 2003, Glenn wrote:

> Might be too late for 1.3.28, but I'd love some comments.
>
> - Changes defaults to disallow access to files unless explicitly allowed.

Although this is, in general, a good idea, I think it would cause many
people to be confused.  I don't think it is a good idea to change it this
late in the 1.3 series (even if it is only the default config file).

> - Turns off CGICommandArgs

+1, but only if this directive is documented in the manual.  I see nothing
on it at the moment.  (Obviously that's not your fault.)

> - On unix httpd-conf-dist, does not allow Emacs autosave or temporary files
>   to be served (along with not allowing .ht* files).  Emacs keeps the same
>   permission on its temp files, which is a poor choice.  (vi restricts
>   permission to owner on its .swp files.)  Also gives a commented out example
>   that additionally disallows *.bak, *.old, *.so, *.a, and *.o files.

I'm fine with the example, but I don't like enabling that by default.  It
will cause too much confusion for too little gain.  (It is an ugly-looking
regex and will inevitably hit some people who don't expect it.)

Joshua.

Mime
View raw message