You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe Jr." <wr...@rowe-clan.net> on 2011/09/08 00:44:04 UTC
[vote] "Security" change to default configs trunk/2.2/2.0
Per a dialog with a reporter and Ben Laurie, I did a search on where
we had enabled Multiviews, and I'd propose we disable this by default
as the server would default it as well. These places were;
Index: extra/httpd-userdir.conf.in
===================================================================
--- extra/httpd-userdir.conf.in (revision 1166228)
+++ extra/httpd-userdir.conf.in (working copy)
@@ -15,7 +15,7 @@
#
<Directory "/home/*/public_html">
AllowOverride FileInfo AuthConfig Limit Indexes
- Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+ Options Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
Index: extra/httpd-autoindex.conf.in
===================================================================
--- extra/httpd-autoindex.conf.in (revision 1166228)
+++ extra/httpd-autoindex.conf.in (working copy)
@@ -20,7 +20,7 @@
Alias /icons/ "@exp_iconsdir@/"
<Directory "@exp_iconsdir@">
- Options Indexes MultiViews
+ Options Indexes
AllowOverride None
Order allow,deny
Allow from all
Amazingly it doesn't show up in extra/httpd-manual.conf because we
don't even rely on the feature (those are type-maps).
Neither /~user/ or /icons/ by default requires the multiviews feature.
So please indicate which way we want to go here...
[ ] +1 remove these MultiViews from trunk/2.2/2.0
[ ] -1 leave these with MultiViews by default
[discuss] "Security" change to default configs trunk/2.2/2.0
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 9/8/2011 12:51 AM, Igor Galić wrote:
>
> Who knows how many configs we're breaking with that?
> Also I don't quite see how it's a security thing, at best "security"
> and, for sure, a performance thing (notice: No "")
Good point. In answer to your question, the combination of AddType
(e.g. .html to includes-filter) with additional exceptions might
circumvent protections which the user anticipated placed on *.html,
assuming those were all of the extensions. We see such noise in the
php community all of the time, and it is a frequent [and invalid]
security report.
Re: [vote] "Security" change to default configs trunk/2.2/2.0
Posted by Igor Galić <i....@brainsware.org>.
----- Original Message -----
> Per a dialog with a reporter and Ben Laurie, I did a search on where
> we had enabled Multiviews, and I'd propose we disable this by default
> as the server would default it as well. These places were;
>
> Index: extra/httpd-userdir.conf.in
> ===================================================================
> --- extra/httpd-userdir.conf.in (revision 1166228)
> +++ extra/httpd-userdir.conf.in (working copy)
> @@ -15,7 +15,7 @@
> #
> <Directory "/home/*/public_html">
> AllowOverride FileInfo AuthConfig Limit Indexes
> - Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
> + Options Indexes SymLinksIfOwnerMatch IncludesNoExec
> <Limit GET POST OPTIONS>
> Order allow,deny
> Allow from all
> Index: extra/httpd-autoindex.conf.in
> ===================================================================
> --- extra/httpd-autoindex.conf.in (revision 1166228)
> +++ extra/httpd-autoindex.conf.in (working copy)
> @@ -20,7 +20,7 @@
> Alias /icons/ "@exp_iconsdir@/"
>
> <Directory "@exp_iconsdir@">
> - Options Indexes MultiViews
> + Options Indexes
> AllowOverride None
> Order allow,deny
> Allow from all
>
> Amazingly it doesn't show up in extra/httpd-manual.conf because we
> don't even rely on the feature (those are type-maps).
>
> Neither /~user/ or /icons/ by default requires the multiviews
> feature.
> So please indicate which way we want to go here...
>
> [ ] +1 remove these MultiViews from trunk/2.2/2.0
> [ ] -1 leave these with MultiViews by default
+1 remove from trunk
-1 remove from 2.2/2.0
Who knows how many configs we're breaking with that?
Also I don't quite see how it's a security thing, at best "security"
and, for sure, a performance thing (notice: No "")
i
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 571B 8B8A FC97 266D BDA3 EF6F 43AD 80A4 5779 3257