httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: Removing Limit and LimitExcept
Date Wed, 20 Oct 2010 20:20:11 GMT
On Tuesday 19 October 2010, William A. Rowe Jr. wrote:
> >> Then fix the insane behavior.
> >
> > 
> >
> > I don't think that's an option. Changing the behaviour of Limit
> > will  surely break some users' auth configs in subtle ways,
> > which is much worse than a clean break.
> 
> Well, there is a fix.  Disallow all cmd's that don't flag
> themselves as being 'limit aware'.  It will break lots of configs
> in very obvious ways, but that those configs worked in the first
> place would be a mystery to the administrator :)

I think the main issue is not that most directives ignore Limit, but 
rather the side effect of removing other access restrictions, as 
Rainer outlined in his mail. But writing code to detect that situation 
and log a warning doesn't look straightforward at all.

Hmm. Maybe this is comparable with OSs disabling executable stack by 
default. That also breaks software but there is usually a way of 
restoring the old behaviour. So maybe we could also disable Limit by 
default and have a EnableDeprecatedAndOftenInsecureLimitDirectives 
directive ;-)

Another thing to make transition easier would be to include 
mod_allowmethods in 2.2.x. Then many users could migrate their config 
before upgrading to 2.4.

Mime
View raw message