httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject [vote] "Security" change to default configs trunk/2.2/2.0
Date Wed, 07 Sep 2011 22:44:04 GMT
Per a dialog with a reporter and Ben Laurie, I did a search on where
we had enabled Multiviews, and I'd propose we disable this by default
as the server would default it as well.  These places were;

Index: extra/httpd-userdir.conf.in
===================================================================
--- extra/httpd-userdir.conf.in	(revision 1166228)
+++ extra/httpd-userdir.conf.in	(working copy)
@@ -15,7 +15,7 @@
 #
 <Directory "/home/*/public_html">
     AllowOverride FileInfo AuthConfig Limit Indexes
-    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+    Options Indexes SymLinksIfOwnerMatch IncludesNoExec
     <Limit GET POST OPTIONS>
         Order allow,deny
         Allow from all
Index: extra/httpd-autoindex.conf.in
===================================================================
--- extra/httpd-autoindex.conf.in	(revision 1166228)
+++ extra/httpd-autoindex.conf.in	(working copy)
@@ -20,7 +20,7 @@
 Alias /icons/ "@exp_iconsdir@/"

 <Directory "@exp_iconsdir@">
-    Options Indexes MultiViews
+    Options Indexes
     AllowOverride None
     Order allow,deny
     Allow from all

Amazingly it doesn't show up in extra/httpd-manual.conf because we
don't even rely on the feature (those are type-maps).

Neither /~user/ or /icons/ by default requires the multiviews feature.
So please indicate which way we want to go here...

  [ ] +1 remove these MultiViews from trunk/2.2/2.0
  [ ] -1 leave these with MultiViews by default


Mime
View raw message