httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Re: svn commit: r667651 - /httpd/httpd/trunk/modules/aaa/mod_authz_core.c
Date Mon, 14 Jul 2008 15:55:24 GMT
>>> On 7/11/2008 at 5:30 PM, in message
<5A713D9A-38A9-465B-892B-B6758A23B3A4@gbiv.com>, "Roy T. Fielding"
<fielding@gbiv.com> wrote:
> On Jul 11, 2008, at 2:14 PM, Brad Nicholes wrote:
> 
>>>>> On 7/11/2008 at 12:01 PM, in message  
>>>>> <48779FF0.2040307@apache.org>, David Shane
>> Holden <dpejesh@apache.org> wrote:
>>> Thanks for the link and description Brad.  It makes sense now.   
>>> Explains
>>> why the default config was giving me a 403.  The 'Require all denied'
>>> was being inherited from the root directory config.  Would it be
>>> appropriate to add something like the attached patched to  
>>> httpd.conf.in?
>>
>> In this case, probably.
> 
> The default needs to be off.  We can't disable sites on an upgrade  
> within
> the 2.x series.
> 
> ....Roy

So this was really the question that was being discussed especially in the last few messages
of the thread http://www.mail-archive.com/dev%40httpd.apache.org/msg40286.html.  Is it better
to switch the default to ON knowing that 2.4 might disable some sites based on stricter auth
rules, or leave the default at OFF knowing that there might be some holes left open?  Maybe
the justification is that the holes where always there anyway and being plugged by extra auth
configuration prior to 2.4, so 2.4 really doesn't need to enforce stricter auth rules.  I
intentionally wrote the patch so that both the defaults for the AuthzMergeRules directive
and the initial merge rule, can be easily switched.  I would just ask that those concerned
read through the message thread and determine what the defaults should be.  I can see pros
and cons of each but I can go with whatever makes sense to the user.

Brad

Brad


Mime
View raw message