On 01/17/2006 03:26 PM, Joshua Slive wrote: > On 1/17/06, Ruediger Pluem <[EMAIL PROTECTED]> wrote:
[..cut..] >>1. I think the comment >> >> "It is not set any lower by default because there may still be odd places >> in the code where the timer is not reset when a packet is sent." >> >> on http://httpd.apache.org/docs/2.0/en/mod/core.html#timeout >> >> is not valid for 2.0.x and up. AFAIK the Timeout was implemented in 1.3 >> with the help of the alarm function which justifies this remark, but this >> is no longer true since 2.0 where poll is used. > > > +1 I think we'd at least prefer that if any of these edge cases still > exist in the code, they be treated as bugs and not expected behavior. > I will remove it once there is an agreement on a new default value for Timeout. > >>2. There should be a section on the Security Tips page that mentions this >> issue and makes some remarks on it. > > > +1 Although you'll note that the security tips page is really just a > big mess. It needs someone with some real-world knowledge to point > out what is important. I just clashed with your commit :-). I will have a look at your draft and add my things to it. [..cut..] > > That sounds like a little too drastic a change to me without testing > to back it up. Pehaps 60 would be a good intermediate step. One This is also fine with me. Lets see what others think. > problem is that TimeOut applies to to many different things. Why > should the timeout waiting for CGI output and the timeout waiting for > the network be the same? It would be nice to have more fine-grained > control. Yes, that would be really nice, but some work needs to be done to reach this. > > (And it would also be nice to unify all the different timeouts used by > the server in some way; ie, "TimeOut cgi=60 request=5 ldap=10 dav=50", > etc. But perhaps that is asking for too much.) I prefer separate directives for each of these areas. Regards RĂ¼diger
