On Tuesday 19 October 2010, Roy T. Fielding wrote: > On Oct 19, 2010, at 12:46 PM, Stefan Fritsch wrote: > > On Tuesday 19 October 2010, Roy T. Fielding wrote: > >> IMO, removing Limit and LimitExcept would require a bump to > >> httpd 3.x, since it would break almost all existing configs and > >> introduce security holes if the installer is not prepared to > >> rewrite them. > > > > If the user is not prepared to change the config, httpd will not > > start. The user would need to comment out the Limit/LimitExcept > > lines, but in this case it would be absolutely obvious that he > > breaks his auth config. > > > > And keeping Limit/LimitExcept is bad for security, too, because > > it has such insane behaviour. See > > > > https://issues.apache.org/bugzilla/show_bug.cgi?id=47019 > > https://issues.apache.org/bugzilla/show_bug.cgi?id=25057 > > https://issues.apache.org/bugzilla/show_bug.cgi?id=49927 > > Then fix the insane behavior.
I don't think that's an option. Changing the behaviour of Limit will surely break some users' auth configs in subtle ways, which is much worse than a clean break. > >> Deprecating Limit and LimitExcept can be done in 2.4.x, which > >> means keeping their functionality intact and warning at startup > >> that the feature is less good than the new directives. > > > > If we just add a warning, I fear that many users will still use > > it even in new installations, because there are so many outdated > > howtos around. > > Of course they will still use it. If you want to mandate config > changes, then release it as httpd 3.x. Keeling over a website when > they perform a *minor* version upgrade is foolish. Version numbers > are cheap. I disagree and think that the change is small enough for 2.2->2.4.
