I've watched the dialog with interested about r->filename. There are security implications of doing things as loosely as we did in 1.3. Not that 1.3 was insecure, because the server always retested the path name after we finished processing.
Folks complained about the double-testing and CPU utilization. With all optimizations, something looses. In this case, we lost some flexibility over security. But the simple fact is that r->filename isn't always a file. Then what :-? We did kick around the idea of pluggable backends to represent files for httpd-2.0. mod_dav already uses this concept. Should it be extended to retrieving (GET) content? I believe so, but obviously r->filename gets even fuzzier after that. I'd like to take up and hack through some solution at the hackathon - this is the sort of underlying schema that we could fix in 2.2 - but we can come up with agreement on 'one true way' more rapidly with face time. Bill
