You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by wr...@apache.org on 2011/02/10 23:57:02 UTC

svn commit: r1069603 - /httpd/httpd/branches/2.2.x/STATUS

Author: wrowe
Date: Thu Feb 10 22:57:02 2011
New Revision: 1069603

URL: http://svn.apache.org/viewvc?rev=1069603&view=rev
Log:
Votes

Modified:
    httpd/httpd/branches/2.2.x/STATUS

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1069603&r1=1069602&r2=1069603&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Thu Feb 10 22:57:02 2011
@@ -174,7 +174,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
        with reason string for why suEXEC is disabled)
      Plz consider where doc for directive should go.  Patch has it in core, as
      enabling/disabling the basic capability is not split out into mod_unixd 2.2.x.
-     +1: trawick, covener
+     +1: trawick, covener, wrowe
 
    * mod_proxy_http: Become aware of ssl handshake failures when attempting
      to pass request. Makes it so workers are put in error state when a
@@ -183,7 +183,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
      Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1039304
                   http://svn.apache.org/viewvc?view=revision&revision=1053584
      2.2.x patch: https://issues.apache.org/bugzilla/attachment.cgi?id=26450
-     +1: rpluem, jim
+     +1: rpluem, jim, wrowe
 
   * core: Add NoDecode option to AllowEncodedSlashes to turn off decoding
     of encoded slashes in path info.  (This is already the behavior of
@@ -192,11 +192,18 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
       Backport version for 2.2.x of patch:
          http://people.apache.org/~poirier/AllowEncodedSlashes.22.patch
       +1 poirier, jim
+      +.1 wrowe; this essentially causes "%2F" -> "%2F" -> "%252F" to any backend,
+                 as mentioned previously trunk is broken and decoding to 'something'
+                 is necessary for routing such.  %2F cannot be distinguished from
+                 %252F on the front end, adding risks.  All this said, not against 
+                 an optional broken feature if this warning is placed in the docs.
+                 Non-optional broken features are worse :)
+                 Trunk must be patched identically.
 
   * configure: add basic support to build with MinGW/MSYS (backport of r422182)
      Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=422182
      2.2.x patch: http://people.apache.org/~fuankg/diffs/r422182-2.2.x.diff
-     +1 fuankg
+     +1 fuankg, wrowe
    
 PATCHES/ISSUES THAT ARE STALLED

Re: svn commit: r1069603 - /httpd/httpd/branches/2.2.x/STATUS

Posted by Dan Poirier <po...@pobox.com>.

On Thu. 2011-02-10 at 05:57 PM EST, wrowe@apache.org wrote:

> Author: wrowe
> Date: Thu Feb 10 22:57:02 2011
> New Revision: 1069603
...
>  
>    * core: Add NoDecode option to AllowEncodedSlashes to turn off decoding
>      of encoded slashes in path info.  (This is already the behavior of
> @@ -192,11 +192,18 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
>        Backport version for 2.2.x of patch:
>           http://people.apache.org/~poirier/AllowEncodedSlashes.22.patch
>        +1 poirier, jim
> +      +.1 wrowe; this essentially causes "%2F" -> "%2F" -> "%252F" to any backend,
> +                 as mentioned previously trunk is broken and decoding to 'something'
> +                 is necessary for routing such.  %2F cannot be distinguished from
> +                 %252F on the front end, adding risks.  All this said, not against 
> +                 an optional broken feature if this warning is placed in the docs.
> +                 Non-optional broken features are worse :)
> +                 Trunk must be patched identically.

Bill, patching trunk identically would change the behavior of
"AllowEncodedSlashes On" in trunk from not decoding %2F to decoding %2F.
Before doing that, I wanted to double-check that was the intention, and
make sure nobody else objected to that behavior change in trunk.

(Background for those who haven't been following along: In trunk,
AllowEncodedSlashes On does not decode %2F.  In 2.2.x,
AllowEncodedSlashes On does decode %2F.  The proposed patch to 2.2.x
would add another option in 2.2.x, AllowEncodedSlashes NoDecode, which
would allow the encoded slashes but not decode them.)

Dan