httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <...@apache.org>
Subject Re: Drop HttpProtocolOptions Unsafe from 2.later/3.0 httpd releases?
Date Thu, 14 Sep 2017 09:50:58 GMT
On Wed, 13 Sep 2017 08:29:44 -0500
William A Rowe Jr <wrowe@rowe-clan.net> wrote:

> So moving forwards, can we stop accepting stuff that isn't HTTP/1.1 in
> our HTTP/1.1 server? Do we really want people to configure their
> server to speak "other"?

Did you mean to say "stop accepting ..."?

> I'm starting to collect https://wiki.apache.org/httpd/Applications
> based on searching google for instances where users have toggled
> HttpProtocolOptions Unsafe, in response to specific application
> behavior.

Perhaps a useful exercise, but could take us in to a bad cycle
of application workarounds that long-outlive the application
being fixed.

> From this list, we might decide to allow non-HTTP/1.1 input in
> specific cases, and perhaps have multiple grades of protocol
> correctness, as I first proposed.

You mean something like Options or AllowOverride?  Things that looked
like a good idea at the time but led to all sorts of issues as the
server evolved!

OK, perhaps that's unduly harsh: this will be less problematic to
maintain.  Are you enumerating cases?

-- 
Nick Kew

Mime
View raw message