httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: Removing Limit and LimitExcept (was: svn commit: r1023227 - in /httpd/httpd/trunk: CHANGES server/core.c)
Date Tue, 19 Oct 2010 20:32:48 GMT
On Tuesday 19 October 2010, Roy T. Fielding wrote:
> On Oct 19, 2010, at 12:46 PM, Stefan Fritsch wrote:
> > On Tuesday 19 October 2010, Roy T. Fielding wrote:
> >> IMO, removing Limit and LimitExcept would require a bump to
> >> httpd 3.x, since it would break almost all existing configs and
> >> introduce security holes if the installer is not prepared to
> >> rewrite them.
> > 
> > If the user is not prepared to change the config, httpd will not
> > start. The user would need to comment out the Limit/LimitExcept
> > lines, but in this case it would be absolutely obvious that he
> > breaks his auth config.
> > 
> > And keeping Limit/LimitExcept is bad for security, too, because
> > it has such insane behaviour. See
> > 
> > https://issues.apache.org/bugzilla/show_bug.cgi?id=47019
> > https://issues.apache.org/bugzilla/show_bug.cgi?id=25057
> > https://issues.apache.org/bugzilla/show_bug.cgi?id=49927
> 
> Then fix the insane behavior.

I don't think that's an option. Changing the behaviour of Limit will 
surely break some users' auth configs in subtle ways, which is much 
worse than a clean break.

> >> Deprecating Limit and LimitExcept can be done in 2.4.x, which
> >> means keeping their functionality intact and warning at startup
> >> that the feature is less good than the new directives.
> > 
> > If we just add a warning, I fear that many users will still use
> > it even in new installations, because there are so many outdated
> > howtos around.
> 
> Of course they will still use it.  If you want to mandate config
> changes, then release it as httpd 3.x.  Keeling over a website when
> they perform a *minor* version upgrade is foolish.  Version numbers
> are cheap.

I disagree and think that the change is small enough for 2.2->2.4.

Mime
View raw message