On Tuesday 19 October 2010, Roy T. Fielding wrote: > IMO, removing Limit and LimitExcept would require a bump to httpd > 3.x, since it would break almost all existing configs and > introduce security holes if the installer is not prepared to > rewrite them.
If the user is not prepared to change the config, httpd will not start. The user would need to comment out the Limit/LimitExcept lines, but in this case it would be absolutely obvious that he breaks his auth config. And keeping Limit/LimitExcept is bad for security, too, because it has such insane behaviour. See https://issues.apache.org/bugzilla/show_bug.cgi?id=47019 https://issues.apache.org/bugzilla/show_bug.cgi?id=25057 https://issues.apache.org/bugzilla/show_bug.cgi?id=49927 > Deprecating Limit and LimitExcept can be done in 2.4.x, which means > keeping their functionality intact and warning at startup that the > feature is less good than the new directives. If we just add a warning, I fear that many users will still use it even in new installations, because there are so many outdated howtos around.
