On Oct 19, 2010, at 12:46 PM, Stefan Fritsch wrote: > On Tuesday 19 October 2010, Roy T. Fielding wrote: >> IMO, removing Limit and LimitExcept would require a bump to httpd >> 3.x, since it would break almost all existing configs and >> introduce security holes if the installer is not prepared to >> rewrite them. > > If the user is not prepared to change the config, httpd will not > start. The user would need to comment out the Limit/LimitExcept lines, > but in this case it would be absolutely obvious that he breaks his > auth config. > > And keeping Limit/LimitExcept is bad for security, too, because it has > such insane behaviour. See > > https://issues.apache.org/bugzilla/show_bug.cgi?id=47019 > https://issues.apache.org/bugzilla/show_bug.cgi?id=25057 > https://issues.apache.org/bugzilla/show_bug.cgi?id=49927
Then fix the insane behavior. >> Deprecating Limit and LimitExcept can be done in 2.4.x, which means >> keeping their functionality intact and warning at startup that the >> feature is less good than the new directives. > > If we just add a warning, I fear that many users will still use it > even in new installations, because there are so many outdated howtos > around. Of course they will still use it. If you want to mandate config changes, then release it as httpd 3.x. Keeling over a website when they perform a *minor* version upgrade is foolish. Version numbers are cheap. ....Roy
