httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Remove <Limit> and <LimitExcept> ?
Date Sat, 18 Sep 2010 22:45:40 GMT
This is from https://issues.apache.org/bugzilla/show_bug.cgi?id=49927

On Saturday 18 September 2010, bugzilla@apache.org wrote:
> --- Comment #3 from Nick Kew <nick@webthing.com> 2010-09-18
> 06:38:34 EDT ---
> 
> > No, the current documentation is correct. The semantics of
> > Limit/LimitExcept is just insane. We should relly get rid if it
> > in 2.4 and improve the docs for 2.2. Maybe the "unprotected"
> > should be big, red, and blinking ;-)
> 
> Agreed.  We can even document it as superseded by
> <If "$request-method ...">
> having of course checked the expression parser, which probably
> needs updating to support things like
>    "... in GET,HEAD,OPTIONS,TRACE"
> without some nasty great OR expression.

What do other people think about removing <Limit> and <LimitExcept> 
and adding mod_allowmethods from the sandbox to easily forbid some 
methods? Or would this create too much trouble when upgrading 
configurations?


BTW, we could also add an authz provider to allow things like

Require method GET,HEAD,...

Though this would be slower than mod_allowmethods because authz 
providers have to parse the require line on every request.

Mime
View raw message