httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: [vote] "Security" change to default configs trunk/2.2/2.0
Date Thu, 08 Sep 2011 05:51:02 GMT


----- Original Message -----
> Per a dialog with a reporter and Ben Laurie, I did a search on where
> we had enabled Multiviews, and I'd propose we disable this by default
> as the server would default it as well.  These places were;
> 
> Index: extra/httpd-userdir.conf.in
> ===================================================================
> --- extra/httpd-userdir.conf.in	(revision 1166228)
> +++ extra/httpd-userdir.conf.in	(working copy)
> @@ -15,7 +15,7 @@
>  #
>  <Directory "/home/*/public_html">
>      AllowOverride FileInfo AuthConfig Limit Indexes
> -    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
> +    Options Indexes SymLinksIfOwnerMatch IncludesNoExec
>      <Limit GET POST OPTIONS>
>          Order allow,deny
>          Allow from all
> Index: extra/httpd-autoindex.conf.in
> ===================================================================
> --- extra/httpd-autoindex.conf.in	(revision 1166228)
> +++ extra/httpd-autoindex.conf.in	(working copy)
> @@ -20,7 +20,7 @@
>  Alias /icons/ "@exp_iconsdir@/"
> 
>  <Directory "@exp_iconsdir@">
> -    Options Indexes MultiViews
> +    Options Indexes
>      AllowOverride None
>      Order allow,deny
>      Allow from all
> 
> Amazingly it doesn't show up in extra/httpd-manual.conf because we
> don't even rely on the feature (those are type-maps).
> 
> Neither /~user/ or /icons/ by default requires the multiviews
> feature.
> So please indicate which way we want to go here...
> 
>   [ ] +1 remove these MultiViews from trunk/2.2/2.0
>   [ ] -1 leave these with MultiViews by default

+1 remove from trunk
-1 remove from 2.2/2.0

Who knows how many configs we're breaking with that?
Also I don't quite see how it's a security thing, at best "security"
and, for sure, a performance thing (notice: No "") 

i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 571B 8B8A FC97 266D BDA3  EF6F 43AD 80A4 5779 3257

Mime
View raw message