httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch>
Subject Re: Removing Limit and LimitExcept
Date Fri, 22 Oct 2010 15:27:43 GMT
On Friday 22 October 2010, Roy T. Fielding wrote:
> On Oct 21, 2010, at 11:16 AM, William A. Rowe Jr. wrote:
> > On 10/21/2010 10:21 AM, Jim Jagielski wrote:
> >> All this debate makes me wonder how many people here still
> >> *run* and *administer* web sites... How about putting yourself
> >> in the shoes of the sys admin before willy-nilly recrafting
> >> configs.

I do. And major upgrades like 2.0 -> 2.2 or 2.2 -> 2.4 happen much 
less often (like every 4-5 years) than mistakes with Limit/LimitExcept 
that lead to sensitive data being unprotected.

The fact that a config like this *allows* GET/POST access to /secret 
for everyone is really broken:

<Location />
  <LimitExcept GET POST>
    Deny from all

<Directory /var/www>
  Allow from all

<Directory /var/www/secret/>
  Deny from all

I would see it as a good thing if people who use Limit were forced to 
rethink their configuration. It's also rather telling that Apache 
infra preferred to create a new module for * instead of 
using Limit/LimitExcept.

> When we get to 3.0, we can remove Limit and LimitExcept entirely.
> If you want to move trunk to 3.0a right now, that's fine with me.

If we make current trunk 3.0, what version bump would you choose for a 
potential switch to async/serf/whatever, which would completely break 
API compatibility for modules? I would rather reserve the bump to 3.0 
for that step (which may or may not come).

View raw message