>>> On 7/11/2008 at 5:30 PM, in message <[EMAIL PROTECTED]>, "Roy T. Fielding" <[EMAIL PROTECTED]> wrote: > On Jul 11, 2008, at 2:14 PM, Brad Nicholes wrote: > >>>>> On 7/11/2008 at 12:01 PM, in message >>>>> <[EMAIL PROTECTED]>, David Shane >> Holden <[EMAIL PROTECTED]> wrote: >>> Thanks for the link and description Brad. It makes sense now. >>> Explains >>> why the default config was giving me a 403. The 'Require all denied' >>> was being inherited from the root directory config. Would it be >>> appropriate to add something like the attached patched to >>> httpd.conf.in? >> >> In this case, probably. > > The default needs to be off. We can't disable sites on an upgrade > within > the 2.x series. > > ....Roy
So this was really the question that was being discussed especially in the last few messages of the thread http://www.mail-archive.com/dev%40httpd.apache.org/msg40286.html. Is it better to switch the default to ON knowing that 2.4 might disable some sites based on stricter auth rules, or leave the default at OFF knowing that there might be some holes left open? Maybe the justification is that the holes where always there anyway and being plugged by extra auth configuration prior to 2.4, so 2.4 really doesn't need to enforce stricter auth rules. I intentionally wrote the patch so that both the defaults for the AuthzMergeRules directive and the initial merge rule, can be easily switched. I would just ask that those concerned read through the message thread and determine what the defaults should be. I can see pros and cons of each but I can go with whatever makes sense to the user. Brad Brad
