Mailing List Archive: Vote summary for 0.8.15

Vote summary for 0.8.15

Oct 31, 1995, 6:18 PM

Post #1 of 10 (458 views)

rst Rob Gary Jim randy Roy Ben
26_redirect2 +0 +1 +1 +1 +1 +1 accepted
27_qnx +1(1) +1 +1 +1 0 +1 accepted
28_os2port -1 0 +1 -1 0 0 rejected
29_addtype +1 +1 +1 +1 +1 +1 accepted
30_svr4 +1 +1 +1 +1 +1 +1 +1 accepted
31a_include +0 +1 +1 -1 +1 0 rejected
32a_manpage +1 +1 +1 +1 +1 +1(2) +1 accepted
33_time +1 +1 +1 +1 +1 +1 accepted
34_htgroup -1 0 +1 -1 0 +1 rejected
34a_htgroup.rst +1 0 +1 +1 +1 0 accepted
35.userdir +1 +1 +1 +1 +1 +1 accepted
36.mod_imap.warning +1 +1 accepted(3)
37_tilde_ok +1 +1 accepted(4)
38_pid +1 +1 +1 +1 accepted

(1) (rst) +1 vote applies after the (obvious) correction, as applied.
(2) (roy) -- ONLY if the builder replaces "sever" with "server" in last para.

(3) I use my casting vote (which I just invented) of +1 to accept this patch.
(4) I assume that Roy votes +1 for this patch.

Randy, I think you are mistaken about 31a_include. Would you consider
changing your vote?

David.

Re: Vote summary for 0.8.15 [ In reply to ]

fielding at avron

Oct 31, 1995, 12:22 PM

Post #2 of 10 (453 views)

> rst Rob Gary Jim randy Roy Ben
>...
> 36.mod_imap.warning +1 +1 accepted(3)
> 37_tilde_ok +1 +1 accepted(4)

Not that it makes any difference, but I voted +1 for those as well.

.....Roy

Re: Vote summary for 0.8.15 [ In reply to ]

Oct 31, 1995, 5:22 PM

Post #3 of 10 (452 views)

FYI, I have a tentative build of 0.8.16, built according to these votes
(barring *further* last-minute changes), in ftp://ftp.ai.mit.edu/pub/users/rst.

rst

Re: Vote summary for 0.8.15 [ In reply to ]

randy at zyzzyva

Nov 3, 1995, 7:08 AM

Post #4 of 10 (454 views)

> Outstanding problems:
> 1. // in paths
> 2. The #include file=xxx problem. Randy seems to have disappeared from this
> list. If this problem is not fixed, then the compatibility notes will
> need a big notice stating:
>

Sorry for my silence. I sent a response immediately to David's request
that I change my vote, but discover now that it fell on the floor...

My comment in short was:

I don't want to change my vote.
I think there needs to be some more discussion about the solution to
this since changing it at this stage in the game will break much of
my include usage, and I suspect others.

I agree that there is a security problem here.

I don't agree with the interpretation of the two tags and would like
to get a chance to look at the NCSA sources to see how they were handled
in the past. I would like more discussion on the matter before we
close doors.

My interpretation:

file= any file as referenced by the local filesystem. Restricting access
outside of the documentroot should be configurable.

virtual= any file as referenced within the document root filespace.
The fact that you can pass an argument *without* a leading slash for
this tag is IMHO a bug.

Re: Vote summary for 0.8.15 [ In reply to ]

randy at zyzzyva

Nov 3, 1995, 7:12 AM

Post #5 of 10 (452 views)

> IMHO we should *NOT* permit Apache 1.0 to do stuff that NCSA 1.3R can't. I
> notice that 0.8.16 still doesn't treat file and virtual any
> differently. This is just plain br0ken. Which patch went in to fix
> this, I thought David R had had two bites at fixing this and got it
> right the second time?
>
> Confused.
>
> Ay.

I agree that we need to refer back to NCSA 1.3 to see how it was
handled then. I will look at this today.

Since yourself, David and I seem to be the only ones commenting on
this, I would like to kick this about some more today. Hmmmm I'm
outnumbered.... :-)

See my previous message.

Re: Vote summary for 0.8.15 [ In reply to ]

Nov 3, 1995, 8:35 AM

Post #6 of 10 (453 views)

My 0.8.16 build is now on hyperreal, in the httpd/dist directory. This was
built a couple of days ago, in accord with the results of the vote as recorded;
it therefore does not include the #include file= patch which Randy vetoed, nor
any of the subsequent patches which have been drifting by.

rst

Re: Vote summary for 0.8.15 [ In reply to ]

randy at zyzzyva

Nov 3, 1995, 8:38 AM

Post #7 of 10 (455 views)

> > Outstanding problems:
> > 1. // in paths
> > 2. The #include file=xxx problem. Randy seems to have disappeared from this
> > list. If this problem is not fixed, then the compatibility notes will
> > need a big notice stating:
> >
>
> Sorry for my silence. I sent a response immediately to David's request
> that I change my vote, but discover now that it fell on the floor...
>
> My comment in short was:
>
> I don't want to change my vote.

To follow-up my own mail... Having looked at 1.3 and other documentation,
I will change my vote on this to +1. I don't agree with the interpretation
of the tags, but it appears that there is precidence.

To pose a related question.

How are we going to allow access to files outside of documentroot
when we need to? One possible application I have had in the back
of my mind has been for accounting/administration related files,
configuration files etc. Admitedly there are other ways to do this,
but this appears to be one of them.

+1 31a_

Re: Vote summary for 0.8.15 [ In reply to ]

Nov 3, 1995, 11:55 AM

Post #8 of 10 (452 views)

>FYI, I have a tentative build of 0.8.16, built according to these votes
>(barring *further* last-minute changes), in
>ftp://ftp.ai.mit.edu/pub/users/rst.

Sigh; we seem to have stalled again. Can you upload that as 0.8.16?
(At least that would make some progress.)

Outstanding problems:
1. // in paths
2. The #include file=xxx problem. Randy seems to have disappeared from this
list. If this problem is not fixed, then the compatibility notes will
need a big notice stating:

SECURITY Feature: Unlike NCSA httpd or Apache 0.6.5, Web admins concerned
about security (who would not set the FollowSymLinks option for example)
should be concerned about allowing server-side includes in any form. With
Apache 0.8, Options IncludesNOEXEC (and Options Includes) will allow users
to link in any file on the machine into their documents. NCSA httpd
(and Apache 0.6 and earlier) only allow the inclusion of files that
the client could access anyway.

David.

Re: Vote summary for 0.8.15 [ In reply to ]

Nov 3, 1995, 1:26 PM

Post #9 of 10 (456 views)

> >FYI, I have a tentative build of 0.8.16, built according to these votes
> >(barring *further* last-minute changes), in
> >ftp://ftp.ai.mit.edu/pub/users/rst.
>
> Sigh; we seem to have stalled again. Can you upload that as 0.8.16?
> (At least that would make some progress.)
>
> Outstanding problems:
> 1. // in paths
> 2. The #include file=xxx problem. Randy seems to have disappeared from this
> list. If this problem is not fixed, then the compatibility notes will
> need a big notice stating:
>
> SECURITY Feature: Unlike NCSA httpd or Apache 0.6.5, Web admins concerned
> about security (who would not set the FollowSymLinks option for example)
> should be concerned about allowing server-side includes in any form. With
> Apache 0.8, Options IncludesNOEXEC (and Options Includes) will allow users
> to link in any file on the machine into their documents. NCSA httpd
> (and Apache 0.6 and earlier) only allow the inclusion of files that
> the client could access anyway.

IMHO we should *NOT* permit Apache 1.0 to do stuff that NCSA 1.3R can't. I
notice that 0.8.16 still doesn't treat file and virtual any
differently. This is just plain br0ken. Which patch went in to fix
this, I thought David R had had two bites at fixing this and got it
right the second time?

Confused.

> David.

Ay.

Re: Vote summary for 0.8.15 [ In reply to ]

Nov 3, 1995, 5:08 PM

Post #10 of 10 (453 views)

Randy:
> How are we going to allow access to files outside of documentroot
> when we need to? One possible application I have had in the back
> of my mind has been for accounting/administration related files,
> configuration files etc. Admitedly there are other ways to do this,
> but this appears to be one of them.

ln -s in/here/foo /out/of/it/bar perhaps?

> +1 31a_

Cheers,
Ay.