On Tuesday 19 October 2010, William A. Rowe Jr. wrote: > >> Then fix the insane behavior. > > > > > > > > I don't think that's an option. Changing the behaviour of Limit > > will surely break some users' auth configs in subtle ways, > > which is much worse than a clean break. > > Well, there is a fix. Disallow all cmd's that don't flag > themselves as being 'limit aware'. It will break lots of configs > in very obvious ways, but that those configs worked in the first > place would be a mystery to the administrator :)
I think the main issue is not that most directives ignore Limit, but rather the side effect of removing other access restrictions, as Rainer outlined in his mail. But writing code to detect that situation and log a warning doesn't look straightforward at all. Hmm. Maybe this is comparable with OSs disabling executable stack by default. That also breaks software but there is usually a way of restoring the old behaviour. So maybe we could also disable Limit by default and have a EnableDeprecatedAndOftenInsecureLimitDirectives directive ;-) Another thing to make transition easier would be to include mod_allowmethods in 2.2.x. Then many users could migrate their config before upgrading to 2.4.
