httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: Removing Limit and LimitExcept (was: svn commit: r1023227 - in /httpd/httpd/trunk: CHANGES server/core.c)
Date Tue, 19 Oct 2010 20:03:25 GMT
On Oct 19, 2010, at 12:46 PM, Stefan Fritsch wrote:

> On Tuesday 19 October 2010, Roy T. Fielding wrote:
>> IMO, removing Limit and LimitExcept would require a bump to httpd
>> 3.x, since it would break almost all existing configs and
>> introduce security holes if the installer is not prepared to
>> rewrite them.
> 
> If the user is not prepared to change the config, httpd will not 
> start. The user would need to comment out the Limit/LimitExcept lines, 
> but in this case it would be absolutely obvious that he breaks his 
> auth config.
> 
> And keeping Limit/LimitExcept is bad for security, too, because it has 
> such insane behaviour. See
> 
> https://issues.apache.org/bugzilla/show_bug.cgi?id=47019
> https://issues.apache.org/bugzilla/show_bug.cgi?id=25057
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49927

Then fix the insane behavior.

>> Deprecating Limit and LimitExcept can be done in 2.4.x, which means
>> keeping their functionality intact and warning at startup that the
>> feature is less good than the new directives.
> 
> If we just add a warning, I fear that many users will still use it 
> even in new installations, because there are so many outdated howtos 
> around.

Of course they will still use it.  If you want to mandate config
changes, then release it as httpd 3.x.  Keeling over a website when
they perform a *minor* version upgrade is foolish.  Version numbers
are cheap.

....Roy

Mime
View raw message