You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by "William A. Rowe Jr." <wr...@rowe-clan.net> on 2011/09/08 00:44:04 UTC

[vote] "Security" change to default configs trunk/2.2/2.0

Per a dialog with a reporter and Ben Laurie, I did a search on where
we had enabled Multiviews, and I'd propose we disable this by default
as the server would default it as well.  These places were;

Index: extra/httpd-userdir.conf.in
===================================================================
--- extra/httpd-userdir.conf.in	(revision 1166228)
+++ extra/httpd-userdir.conf.in	(working copy)
@@ -15,7 +15,7 @@
 #
 <Directory "/home/*/public_html">
     AllowOverride FileInfo AuthConfig Limit Indexes
-    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+    Options Indexes SymLinksIfOwnerMatch IncludesNoExec
     <Limit GET POST OPTIONS>
         Order allow,deny
         Allow from all
Index: extra/httpd-autoindex.conf.in
===================================================================
--- extra/httpd-autoindex.conf.in	(revision 1166228)
+++ extra/httpd-autoindex.conf.in	(working copy)
@@ -20,7 +20,7 @@
 Alias /icons/ "@exp_iconsdir@/"

 <Directory "@exp_iconsdir@">
-    Options Indexes MultiViews
+    Options Indexes
     AllowOverride None
     Order allow,deny
     Allow from all

Amazingly it doesn't show up in extra/httpd-manual.conf because we
don't even rely on the feature (those are type-maps).

Neither /~user/ or /icons/ by default requires the multiviews feature.
So please indicate which way we want to go here...

  [ ] +1 remove these MultiViews from trunk/2.2/2.0
  [ ] -1 leave these with MultiViews by default

[discuss] "Security" change to default configs trunk/2.2/2.0

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.

On 9/8/2011 12:51 AM, Igor Galić wrote:
> 
> Who knows how many configs we're breaking with that?
> Also I don't quite see how it's a security thing, at best "security"
> and, for sure, a performance thing (notice: No "") 

Good point.  In answer to your question, the combination of AddType
(e.g. .html to includes-filter) with additional exceptions might
circumvent protections which the user anticipated placed on *.html,
assuming those were all of the extensions.  We see such noise in the
php community all of the time, and it is a frequent [and invalid]
security report.

Re: [vote] "Security" change to default configs trunk/2.2/2.0

Posted by Igor Galić <i....@brainsware.org>.


----- Original Message -----
> Per a dialog with a reporter and Ben Laurie, I did a search on where
> we had enabled Multiviews, and I'd propose we disable this by default
> as the server would default it as well.  These places were;
> 
> Index: extra/httpd-userdir.conf.in
> ===================================================================
> --- extra/httpd-userdir.conf.in	(revision 1166228)
> +++ extra/httpd-userdir.conf.in	(working copy)
> @@ -15,7 +15,7 @@
>  #
>  <Directory "/home/*/public_html">
>      AllowOverride FileInfo AuthConfig Limit Indexes
> -    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
> +    Options Indexes SymLinksIfOwnerMatch IncludesNoExec
>      <Limit GET POST OPTIONS>
>          Order allow,deny
>          Allow from all
> Index: extra/httpd-autoindex.conf.in
> ===================================================================
> --- extra/httpd-autoindex.conf.in	(revision 1166228)
> +++ extra/httpd-autoindex.conf.in	(working copy)
> @@ -20,7 +20,7 @@
>  Alias /icons/ "@exp_iconsdir@/"
> 
>  <Directory "@exp_iconsdir@">
> -    Options Indexes MultiViews
> +    Options Indexes
>      AllowOverride None
>      Order allow,deny
>      Allow from all
> 
> Amazingly it doesn't show up in extra/httpd-manual.conf because we
> don't even rely on the feature (those are type-maps).
> 
> Neither /~user/ or /icons/ by default requires the multiviews
> feature.
> So please indicate which way we want to go here...
> 
>   [ ] +1 remove these MultiViews from trunk/2.2/2.0
>   [ ] -1 leave these with MultiViews by default

+1 remove from trunk
-1 remove from 2.2/2.0

Who knows how many configs we're breaking with that?
Also I don't quite see how it's a security thing, at best "security"
and, for sure, a performance thing (notice: No "") 

i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 571B 8B8A FC97 266D BDA3  EF6F 43AD 80A4 5779 3257