Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[André Malo]

* "William A. Rowe, Jr." <[EMAIL PROTECTED]> wrote:

> NOOO 

;-)

>  seriously this option is too overloaded as it is.  Let's try to
> leave boolean flags in IndexOptions, but create new directive names if
> they are non-trival choices.

>>IndexOptions CSS=/foo/bar.css

Hmm. What about *width, *height options and all the stuff? New directives?
Booh.

And... how do you want to switch off the css setting?
IndexCSS off
? hrm. I see kinda namespace clashing here.

nd

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[William A. Rowe, Jr.]

NOOO 

 seriously this option is too overloaded as it is.  Let's try to leave boolean
flags in IndexOptions, but create new directive names if they are non-trival
choices.

Bill


At 01:47 AM 11/20/2003, André Malo wrote:
>* "Paul Querna" <[EMAIL PROTECTED]> wrote:
>
>> On Thu, 20 Nov 2003 07:18:55 +0100, André Malo wrote
>> > * [EMAIL PROTECTED] wrote:
>> > 
>> > >   mod_autoindex: new directive IndexStyleSheet
>> > 
>> > Hmm, why not new IndexOption? Isn't that what Indexoptions are for?
>> > 
>> 
>> You mean somthing like:
>> IndexOpion StyleSheet:/style/mystyle.css
>> ?
>
>More consistent with the rest of the indexoptions ;-)
>
>IndexOptions CSS=/foo/bar.css
>
>This hat btw the advantage that you can easily turn off the css for
>particular locations (because of the nature of IndexOptions).
>
>nd

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Ian Holsman]

André Malo wrote:
* "Paul Querna" <[EMAIL PROTECTED]> wrote:


On Thu, 20 Nov 2003 07:18:55 +0100, André Malo wrote

* [EMAIL PROTECTED] wrote:


 mod_autoindex: new directive IndexStyleSheet
Hmm, why not new IndexOption? Isn't that what Indexoptions are for?

You mean somthing like:
IndexOpion StyleSheet:/style/mystyle.css
?


More consistent with the rest of the indexoptions ;-)

IndexOptions CSS=/foo/bar.css

This hat btw the advantage that you can easily turn off the css for
particular locations (because of the nature of IndexOptions).
nd

I guess you could do it with that as well.
my personal preference is a seperate directive, but I'm easily swayed
--Ian

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[André Malo]

* "Paul Querna" <[EMAIL PROTECTED]> wrote:

> On Thu, 20 Nov 2003 07:18:55 +0100, André Malo wrote
> > * [EMAIL PROTECTED] wrote:
> > 
> > >   mod_autoindex: new directive IndexStyleSheet
> > 
> > Hmm, why not new IndexOption? Isn't that what Indexoptions are for?
> > 
> 
> You mean somthing like:
> IndexOpion StyleSheet:/style/mystyle.css
> ?

More consistent with the rest of the indexoptions ;-)

IndexOptions CSS=/foo/bar.css

This hat btw the advantage that you can easily turn off the css for
particular locations (because of the nature of IndexOptions).

nd

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Paul Querna]

On Thu, 20 Nov 2003 07:18:55 +0100, André Malo wrote
> * [EMAIL PROTECTED] wrote:
> 
> >   mod_autoindex: new directive IndexStyleSheet
> 
> Hmm, why not new IndexOption? Isn't that what Indexoptions are for?
> 

You mean somthing like:
IndexOpion StyleSheet:/style/mystyle.css
?

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[André Malo]

* [EMAIL PROTECTED] wrote:

>   mod_autoindex: new directive IndexStyleSheet

Hmm, why not new IndexOption? Isn't that what Indexoptions are for?

nd

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Jeff Trawick]

[EMAIL PROTECTED] wrote:

ianh2003/11/19 19:45:23

  Modified:.CHANGES
   docs/manual/mod mod_autoindex.xml
   modules/generators mod_autoindex.c
which prompts me to add a section on special documentation issues to my 
submitting-your-patch changes, since the html ought to be regenerated at the 
same time ;)

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[André Malo]

* Justin Erenkrantz wrote:

> --On Sunday, March 2, 2003 1:45 PM + [EMAIL PROTECTED] wrote:
> 
>> nd  2003/03/02 05:45:00
>>
>>   Modified:modules/generators Tag: APACHE_2_0_BRANCH mod_autoindex.c
>>   Log:
>>   WS and style issues. No code changes.
> 
> For future reference, we should not backport style changes to the stable
> branch.  We need to keep the diffs as minimal as possible once we hit a
> releasable state.  Otherwise, it is hard to know exactly what changed from
> release to release.
> 
> Dean and Roy had our definitive thread on this a few years back (during the
> 1.3 beta period).  I realize you probably aren't aware of this.  But, it comes
> up every time someone wants to veto style changes.

ok, noted and accepted - although it makes it a bit harder to backport the 
bugfixes (when they're done in unstable after a style cleanup). IMHO.

nd
-- 
s;.*;aoaaaoaaoaaaom:a:alataa:aaoat:a:a:a
maoaa:a:laoata:a:oia:a:o:a:m:a:o:alaoooat:aaool:aaoaa
matooololaaatoto:aaa:o:a:o:m;;s:\s:\::g;y;mailto:;
\40\51/\134\137|ndparker <[EMAIL PROTECTED]>;;print;

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Justin Erenkrantz]

--On Sunday, March 2, 2003 1:45 PM + [EMAIL PROTECTED] wrote:

nd  2003/03/02 05:45:00

  Modified:modules/generators Tag: APACHE_2_0_BRANCH mod_autoindex.c
  Log:
  WS and style issues. No code changes.
For future reference, we should not backport style changes to the stable 
branch.  We need to keep the diffs as minimal as possible once we hit a 
releasable state.  Otherwise, it is hard to know exactly what changed from 
release to release.

Dean and Roy had our definitive thread on this a few years back (during the 
1.3 beta period).  I realize you probably aren't aware of this.  But, it comes 
up every time someone wants to veto style changes.

No problem doing it on the unstable branch, but these shouldn't be backported 
to stable.  -- justin

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Jeff Trawick]

Greg Stein <[EMAIL PROTECTED]> writes:

> On Fri, May 31, 2002 at 08:50:14PM -, [EMAIL PROTECTED] wrote:
> > trawick 2002/05/31 13:50:14
> > 
> >   Modified:modules/generators mod_autoindex.c
> >   Log:
> >   if we autoindex, discard the request body and check for any
> >   errors doing so
> 
> When a request finishes, it will toss the request body. Why does autoindex
> need to do this manually?

It isn't happening (or at least it wasn't happening Friday :) ).  Do
you have a hint about where the code to do that is?  Also, why does
default_handler() discard the request body if it is going to happen
automatically?

-- 
Jeff Trawick | [EMAIL PROTECTED]
Born in Roswell... married an alien...

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Greg Stein]

On Fri, May 31, 2002 at 08:50:14PM -, [EMAIL PROTECTED] wrote:
> trawick 2002/05/31 13:50:14
> 
>   Modified:modules/generators mod_autoindex.c
>   Log:
>   if we autoindex, discard the request body and check for any
>   errors doing so

When a request finishes, it will toss the request body. Why does autoindex
need to do this manually?

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/

RE: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Ryan Bloom]

> > > The problem is that the fast_internal_redirect is removing
the
> OLD_WRITE filter.
> >
> > I'm going to try it on my box without this patch, and with no
Multiviews
> (to get
> > rid of fast_internal_redirects for HEADER and README).  If that
works
> with HEAD
> > as well as it did in 2.0.32, great!
> 
> HEAD does work fine on my box without Multiviews, as you predicted.
But
> doing
> the Right Thing w.r.t. OLD_WRITE and fast_internal_redirect just
doesn't
> sound
> like rocket science.

I have a hack in there for now.  Feel free to look at how to solve it
for real.  I beat my head against it for a few hours this week.  I'll
look at it again after the 2.0.35 GA is released.

Ryan

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Greg Ames]

Greg Ames wrote:
> 
> [EMAIL PROTECTED] wrote:

> > The problem is that the fast_internal_redirect is removing the OLD_WRITE 
>filter.
> 
> I'm going to try it on my box without this patch, and with no Multiviews (to get
> rid of fast_internal_redirects for HEADER and README).  If that works with HEAD
> as well as it did in 2.0.32, great!  

HEAD does work fine on my box without Multiviews, as you predicted.  But doing
the Right Thing w.r.t. OLD_WRITE and fast_internal_redirect just doesn't sound
like rocket science.

Greg

RE: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Ryan Bloom]

> Ryan Bloom wrote:
> >
> > > [EMAIL PROTECTED] wrote:
> > > >
> > > > rbb 02/04/05 09:50:37
> > > >
> > > >   Modified:modules/generators mod_autoindex.c
> > > >   Log:
> > > >   This is a HACK!
> > >
> > > Why would it be difficult for the core to preserve OLD_WRITE in
the
> > subreq
> > > filter chain?  We knew how to do that in 2.0.32.  One would hope
we
> > get
> > > smarter
> > > as we get more experienced.
> >
> > Because in pre-2.0.32 code, fast_internal_redirects didn't remove
all of
> > the RESOURCE filters.  It does now, because that is the correct
thing to
> > do.  The problem is that there is one RESOURCE filters that we want
to
> > keep, OLD_WRITE.
> 
> OK, so maybe we proved that OLD_WRITE isn't an ordinary RESOURCE
filter.
> Calling it something else might do the trick.

The problem is that it MUST be a RESOURCE filter, or it will be put in
the wrong location in the filter stack.

Ryan

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Greg Ames]

Ryan Bloom wrote:
> 
> > [EMAIL PROTECTED] wrote:
> > >
> > > rbb 02/04/05 09:50:37
> > >
> > >   Modified:modules/generators mod_autoindex.c
> > >   Log:
> > >   This is a HACK!
> >
> > Why would it be difficult for the core to preserve OLD_WRITE in the
> subreq
> > filter chain?  We knew how to do that in 2.0.32.  One would hope we
> get
> > smarter
> > as we get more experienced.
> 
> Because in pre-2.0.32 code, fast_internal_redirects didn't remove all of
> the RESOURCE filters.  It does now, because that is the correct thing to
> do.  The problem is that there is one RESOURCE filters that we want to
> keep, OLD_WRITE. 

OK, so maybe we proved that OLD_WRITE isn't an ordinary RESOURCE filter. 
Calling it something else might do the trick.

Greg

RE: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Ryan Bloom]

> [EMAIL PROTECTED] wrote:
> >
> > rbb 02/04/05 09:50:37
> >
> >   Modified:modules/generators mod_autoindex.c
> >   Log:
> >   This is a HACK!
> 
> Why would it be difficult for the core to preserve OLD_WRITE in the
subreq
> filter chain?  We knew how to do that in 2.0.32.  One would hope we
get
> smarter
> as we get more experienced.

Because in pre-2.0.32 code, fast_internal_redirects didn't remove all of
the RESOURCE filters.  It does now, because that is the correct thing to
do.  The problem is that there is one RESOURCE filters that we want to
keep, OLD_WRITE.  I had thought about just having the core do this, but
that gets ugly quickly, because the bug is incredibly specific to having
a fast_internal_redirect inside of a content generator.

Ryan

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Greg Ames]

[EMAIL PROTECTED] wrote:
> 
> rbb 02/04/05 09:50:37
> 
>   Modified:modules/generators mod_autoindex.c
>   Log:
>   This is a HACK! 

Why would it be difficult for the core to preserve OLD_WRITE in the subreq
filter chain?  We knew how to do that in 2.0.32.  One would hope we get smarter
as we get more experienced.

> The problem is that the fast_internal_redirect is removing the OLD_WRITE 
>filter. 

I'm going to try it on my box without this patch, and with no Multiviews (to get
rid of fast_internal_redirects for HEADER and README).  If that works with HEAD
as well as it did in 2.0.32, great!  If not, I think we need to do better.

Greg

p.s. why do I care?  I'm working on a SpecWeb99 module for Apache 2.0.  The way
I see it working is using ap_rputs to generate a little bit of dynamic html,
then running a subrequest to send a file, then using ap_rputs to generate a
small trailer.  That would work in 2.0.32.  IMO it should also work in a GA
release.

RE: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Ryan Bloom]

>   Modified:modules/generators mod_autoindex.c
>   Log:
>   This is a HACK!  The problem is that the fast_internal_redirect is
>   removing the OLD_WRITE filter. Obviously that is wrong.  For right
now,
>   the fix is to hack around the problem and just make it work.  Long
term,
>   we need to find a real solution to this, but this gets autoindex
working
>   today.

This fixes the final problems with mod_autoindex.  I agree that this is
not the correct long-term solution.  I am deadly serious when I say I
want a GA release today.

The only way that 2.0 has ever made it out the door is for somebody to
stand up and say that they want this more than life itself.  I am saying
that today.  Let's ship 2.0.34 (bumped to HEAD) today, and if we need a
2.0.35 next week to fix some bugs, then we will do that next week.

This thing has been five years in the making already, and it's time to
go GA!

Ryan

 

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Rodent of Unusual Size]

Cliff Woolley wrote:
> 
> Reverted.

Ta.  401 and 500 are (or can be) slightly special cases.  401
because we're not sure the user can access the resource and
shouldn't let him know it even exists without that surety.  And
500 because we're not sure what went wrong, and if the
config error were fixed it might deny access.  Paranoia mode.

403 is one of those on-the-fence things; we know access is
categorically denied, but should we tell the user since he
can (presumably) never get it?  You'll find proponents on
boths sides, but most security people will plump for obscuring
the resource's existence.

Good work, though, Cliff, and fast. :-)
-- 
#kenP-)}

Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
Author, developer, opinionist  http://Apache-Server.Com/

"Millennium hand and shrimp!"

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Cliff Woolley]

On Tue, 5 Feb 2002, Rodent of Unusual Size wrote:

> [EMAIL PROTECTED] wrote:
> >
> >   List files that would result in HTTP_UNAUTHORIZED in addition to
> >   successes and redirections, since there's a chance the client will
> >   actually have the proper authorization to retrieve them.
>
> -1 (yes, a veto).  Standard security practice: you don't
> expose even meta-information without knowing the user can
> access it.

Reverted.

--Cliff

--
   Cliff Woolley
   [EMAIL PROTECTED]
   Charlottesville, VA

Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c

[Rodent of Unusual Size]

[EMAIL PROTECTED] wrote:
> 
>   List files that would result in HTTP_UNAUTHORIZED in addition to
>   successes and redirections, since there's a chance the client will
>   actually have the proper authorization to retrieve them.

-1 (yes, a veto).  Standard security practice: you don't
expose even meta-information without knowing the user can
access it.  Unixish systems have broken with this practice
since day one by making /etc/passwd readable, but it's still
visible in the login sequence: you get asked for a password
even if the username exists, and the 'login incorrect'
doesn't tell you that it failed because of an invalid username.

Exposing the existence of something without knowing that the
user can access it provides a definite target for probing and
attack.
-- 
#kenP-)}

Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
Author, developer, opinionist  http://Apache-Server.Com/

"Millennium hand and shrimp!"