httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: Removing Limit and LimitExcept (was: svn commit: r1023227 - in /httpd/httpd/trunk: CHANGES server/core.c)
Date Wed, 20 Oct 2010 07:02:25 GMT
 

> -----Original Message-----
> From: Stefan Fritsch 
> Sent: Dienstag, 19. Oktober 2010 22:33
> To: dev@httpd.apache.org
> Subject: Re: Removing Limit and LimitExcept (was: svn commit: 
> r1023227 - in /httpd/httpd/trunk: CHANGES server/core.c)
> 
> On Tuesday 19 October 2010, Roy T. Fielding wrote:
> > On Oct 19, 2010, at 12:46 PM, Stefan Fritsch wrote:
> > > On Tuesday 19 October 2010, Roy T. Fielding wrote:
> > >> IMO, removing Limit and LimitExcept would require a bump to
> > >> httpd 3.x, since it would break almost all existing configs and
> > >> introduce security holes if the installer is not prepared to
> > >> rewrite them.
> > > 
> > > If the user is not prepared to change the config, httpd will not
> > > start. The user would need to comment out the Limit/LimitExcept
> > > lines, but in this case it would be absolutely obvious that he
> > > breaks his auth config.
> > > 
> > > And keeping Limit/LimitExcept is bad for security, too, because
> > > it has such insane behaviour. See
> > > 
> > > https://issues.apache.org/bugzilla/show_bug.cgi?id=47019
> > > https://issues.apache.org/bugzilla/show_bug.cgi?id=25057
> > > https://issues.apache.org/bugzilla/show_bug.cgi?id=49927
> > 
> > Then fix the insane behavior.
> 
> I don't think that's an option. Changing the behaviour of Limit will 
> surely break some users' auth configs in subtle ways, which is much 
> worse than a clean break.

The question is how it breaks users auth configs. If it results in more
restrictive behaviour I guess this would be acceptable.

> 
> > >> Deprecating Limit and LimitExcept can be done in 2.4.x, which
> > >> means keeping their functionality intact and warning at startup
> > >> that the feature is less good than the new directives.
> > > 
> > > If we just add a warning, I fear that many users will still use
> > > it even in new installations, because there are so many outdated
> > > howtos around.
> > 
> > Of course they will still use it.  If you want to mandate config
> > changes, then release it as httpd 3.x.  Keeling over a website when
> > they perform a *minor* version upgrade is foolish.  Version numbers
> > are cheap.
> 
> I disagree and think that the change is small enough for 2.2->2.4.

There are a lot of AAA changes between 2.2 and 2.4, but we tried to provide
the users with the option to keep the old syntax in their config 
e.g. via mod_access_compat.
So I do not think that removing Limit between 2.2 and 2.4 without deprecating
it before is a good idea.
The annoying warning at the start gives users a chance to adjust their config
over time. If they don't do that until 2.6 or 3.0, then it is their own fault.

Regards

Rüdiger


Mime
View raw message