You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe Jr." <wr...@rowe-clan.net> on 2011/09/15 16:23:11 UTC
Fwd: Mis-configured Rewrite Rule Exposed Filesystem
not acked
Re: EOL for 2.0
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 9/17/2011 8:59 PM, Rich Bowen wrote:
>
> On Sep 16, 2011, at 11:59 AM, William A. Rowe Jr. wrote:
>
>> On 9/16/2011 12:51 AM, Issac Goldstand wrote:
>>> IIRC, we talked about making 2.0 EOL when we make the next release, but
>>> I don't think we ever formalized the decision.
>>>
>>> Does anyone have comments for or against announcing 2.0 End-Of-Life at a
>>> set time (say 3 months) following the release of 2.4?
>>
>> Yes, I'd prefer we set a 12 month sunset on 2.0 in conjunction with the
>> 2.4 release, not 3 months later when nobody is paying attention.
>
> +1. While I'd like to be rid of it earlier, I think 3 months is too fast. 12 months may be too long, but we lose nothing by setting it there rather than too short.
A 12 mos sunset is what we declared for 1.3 (or that is effectively what
happened)... we announced the final 1.3.42, and over the following 12 mos,
we examined various security complaints and found that none really applied.
In that time we turned off httpd-1.3 in bugzilla and warned everyone of its
end of life, no further releases.
And at the end of those 12 mos (13-14 actually) I pulled httpd-1.3.42 off of
downloads.xml, out of dist/httpd/, and removed various other references.
There is now simply a few remaining references to archive.a.o, which will
incidentally mention this is where old 1.3 can be found.
We can easily do the same with 2.0.64; no further bugfix releases expected,
and security fixes will end 12 months from the release of 2.4.0. That is
what sunset refers to, very limited support before being entirely abandoned.
We didn't even promise to go this far in 1.3 (we said security -patches- would
be announced during its sunset).
During those 12 mos, various sites made their own calls on statements about
their third party modules for 1.3, ranging from 'we quit updating effective
immediately' to 'we'll keep supporting and updating our module, irrespective
of the ASF's project'. Which is all fine, it is entirely their individual
choice as individual projects. But we framed the conversation so they could
each come up with their own messaging to their own end users.
Re: EOL for 2.0
Posted by Rich Bowen <rb...@rcbowen.com>.
On Sep 16, 2011, at 11:59 AM, William A. Rowe Jr. wrote:
> On 9/16/2011 12:51 AM, Issac Goldstand wrote:
>> IIRC, we talked about making 2.0 EOL when we make the next release, but
>> I don't think we ever formalized the decision.
>>
>> Does anyone have comments for or against announcing 2.0 End-Of-Life at a
>> set time (say 3 months) following the release of 2.4?
>
> Yes, I'd prefer we set a 12 month sunset on 2.0 in conjunction with the
> 2.4 release, not 3 months later when nobody is paying attention.
+1. While I'd like to be rid of it earlier, I think 3 months is too fast. 12 months may be too long, but we lose nothing by setting it there rather than too short.
--
Rich Bowen
rbowen@rcbowen.com
rbowen@apache.org
Re: EOL for 2.0
Posted by Ruediger Pluem <rp...@apache.org>.
On 09/17/2011 12:25 PM, Rainer Jung wrote:
> On 16.09.2011 17:59, William A. Rowe Jr. wrote:
>> On 9/16/2011 12:51 AM, Issac Goldstand wrote:
>>> IIRC, we talked about making 2.0 EOL when we make the next release, but
>>> I don't think we ever formalized the decision.
>>>
>>> Does anyone have comments for or against announcing 2.0 End-Of-Life at a
>>> set time (say 3 months) following the release of 2.4?
>> Yes, I'd prefer we set a 12 month sunset on 2.0 in conjunction with the
>> 2.4 release, not 3 months later when nobody is paying attention.
>
> +1, 3 months is a bit quick, 12 months should be OK.
+1
Regards
Rüdiger
Re: EOL for 2.0
Posted by Rainer Jung <ra...@kippdata.de>.
On 16.09.2011 17:59, William A. Rowe Jr. wrote:
> On 9/16/2011 12:51 AM, Issac Goldstand wrote:
>> IIRC, we talked about making 2.0 EOL when we make the next release, but
>> I don't think we ever formalized the decision.
>>
>> Does anyone have comments for or against announcing 2.0 End-Of-Life at a
>> set time (say 3 months) following the release of 2.4?
>
> Yes, I'd prefer we set a 12 month sunset on 2.0 in conjunction with the
> 2.4 release, not 3 months later when nobody is paying attention.
+1, 3 months is a bit quick, 12 months should be OK.
Regards,
Rainer
Re: EOL for 2.0
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 9/16/2011 12:51 AM, Issac Goldstand wrote:
> IIRC, we talked about making 2.0 EOL when we make the next release, but
> I don't think we ever formalized the decision.
>
> Does anyone have comments for or against announcing 2.0 End-Of-Life at a
> set time (say 3 months) following the release of 2.4?
Yes, I'd prefer we set a 12 month sunset on 2.0 in conjunction with the
2.4 release, not 3 months later when nobody is paying attention.
EOL for 2.0
Posted by Issac Goldstand <ma...@beamartyr.net>.
IIRC, we talked about making 2.0 EOL when we make the next release, but
I don't think we ever formalized the decision.
Does anyone have comments for or against announcing 2.0 End-Of-Life at a
set time (say 3 months) following the release of 2.4?
Issac
Re: Fwd: Mis-configured Rewrite Rule Exposed Filesystem
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 9/16/2011 12:47 AM, Issac Goldstand wrote:
> +1, but I don't think that we can fully deprecate until the next major
> revision/release (eg 2.6/3.0).
Correct, Roy and one or two others have vetoed any deprecation of
directives in the 2.4 release (such as the broken <Limit > context).
Re: Fwd: Mis-configured Rewrite Rule Exposed Filesystem
Posted by Issac Goldstand <ma...@beamartyr.net>.
On 15/09/2011 22:16, William A. Rowe Jr. wrote:
> On 9/15/2011 2:14 PM, Stefan Fritsch wrote:
>>> In the same spirit as axing the <Foo ~ ""> regex match syntax
>>> becoming <FooMatch "">.
>> Should we start in 2.4 by logging a deprecation warning at level info
>> for the <Foo ~ ""> syntax?
> That was just a example of why your suggestion is good.
>
> We could do that, yes.
+1, but I don't think that we can fully deprecate until the next major
revision/release (eg 2.6/3.0). I think that the majority of users won't
upgrade until the big distributions pick up 2.4, which isn't going to
finish happening for 6-12 months after we release 2.4
Issac
Re: Fwd: Mis-configured Rewrite Rule Exposed Filesystem
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 9/15/2011 2:14 PM, Stefan Fritsch wrote:
>
>> In the same spirit as axing the <Foo ~ ""> regex match syntax
>> becoming <FooMatch "">.
>
> Should we start in 2.4 by logging a deprecation warning at level info
> for the <Foo ~ ""> syntax?
That was just a example of why your suggestion is good.
We could do that, yes.
Re: Fwd: Mis-configured Rewrite Rule Exposed Filesystem
Posted by Stefan Fritsch <sf...@sfritsch.de>.
On Thursday 15 September 2011, William A. Rowe Jr. wrote:
> On 9/15/2011 9:55 AM, Eric Covener wrote:
> > sf wanted to fork RewriteRule into a flavor that never guessed if
> > you meant to provide a URL or a File for 2.4, and take the oppty
> > to unload some other baggage with the new flavors. I am +1 to
> > that for 2.4 (even 2.4.>0) since we'd leave RewriteRule intact.
>
> +1 here, too. Yes, there are RewriteRule 'flags', but as this
> particular user observed, getting the flags right can be tricky.
> Explicit directives for uri -> uri, uri -> file and uri -> proxy
> transformations would be much less error prone.
Yes. The problem is that the default behaviour of RewriteRule is bad,
so it can't be fixed without breaking people's configs. But doing the
new RewriteTo* flavors right will require considerable thought and a
lot of testing. I don't have enough spare cycles to do that at the
moment and I don't want to delay 2.4 for it.
> In the same spirit as axing the <Foo ~ ""> regex match syntax
> becoming <FooMatch "">.
Should we start in 2.4 by logging a deprecation warning at level info
for the <Foo ~ ""> syntax?
Re: Fwd: Mis-configured Rewrite Rule Exposed Filesystem
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 9/15/2011 9:55 AM, Eric Covener wrote:
>
> sf wanted to fork RewriteRule into a flavor that never guessed if you
> meant to provide a URL or a File for 2.4, and take the oppty to unload
> some other baggage with the new flavors. I am +1 to that for 2.4 (even
> 2.4.>0) since we'd leave RewriteRule intact.
+1 here, too. Yes, there are RewriteRule 'flags', but as this particular
user observed, getting the flags right can be tricky. Explicit directives
for uri -> uri, uri -> file and uri -> proxy transformations would be
much less error prone. In the same spirit as axing the <Foo ~ ""> regex
match syntax becoming <FooMatch "">.
Re: Fwd: Mis-configured Rewrite Rule Exposed Filesystem
Posted by Eric Covener <co...@gmail.com>.
On Thu, Sep 15, 2011 at 10:35 AM, William A. Rowe Jr.
<wr...@rowe-clan.net> wrote:
>> We have done update on Apache server from 2.0.x to 2.2.x. Afterwards, the root filesystem
>> was exposed to public. The root cause was the following misconfigured rewrite rule:
>>
>> RewriteRule ^(.*) $1 [E=ORDNER:X,E=TOMCAT:http://10.x.x.x/X]
>
> Is there something here to be fixed w.r.t. the documentation about
> rewriterule syntax changed when upgrading?
IIUC It's not a 2.2-ism, it's ancient. Most people report as a 403
just as if you added an Alias without adding a <Directory> section to
punch a hole for it.
Rewrite assumes you meant to substitute uri-to-file when the prefix
exists in the filesystem. For this particular user, The correct rule
would not substitute at all (-) when they just want to set envvars.
Sniff tested on a 2.0 build and confirmed it is not a migration issue / 2.2-ism.
sf wanted to fork RewriteRule into a flavor that never guessed if you
meant to provide a URL or a File for 2.4, and take the oppty to unload
some other baggage with the new flavors. I am +1 to that for 2.4 (even
2.4.>0) since we'd leave RewriteRule intact.
--
Eric Covener
covener@gmail.com
Re: Fwd: Mis-configured Rewrite Rule Exposed Filesystem
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
> We have done update on Apache server from 2.0.x to 2.2.x. Afterwards, the root filesystem
> was exposed to public. The root cause was the following misconfigured rewrite rule:
>
> RewriteRule ^(.*) $1 [E=ORDNER:X,E=TOMCAT:http://10.x.x.x/X]
Is there something here to be fixed w.r.t. the documentation about
rewriterule syntax changed when upgrading?
Re: Fwd: Mis-configured Rewrite Rule Exposed Filesystem
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 9/15/2011 9:23 AM, William A. Rowe Jr. wrote:
> not acked
Autocomplete stupidity, sorry. I'll respond to 'reporter'.