On Thu, Mar 08, 2018 at 11:05:29PM +0100, Yann Ylavic wrote: > On Thu, Mar 8, 2018 at 11:00 PM, <[email protected]> wrote: > > > > *) mod_access_compat, mod_authz_host: Prevent access control > > misconfiguration > > due to interpretation of #comments in Require host or Allow/Deny > > directives. > > trunk patch: http://svn.apache.org/r1667676 > > http://svn.apache.org/r1826207 > > 2.4.x patch: trunk works, svn merge -c 1667676,1826207 > > ^/httpd/httpd/trunk . > > - +1: jorton, jim, > > + +1: jorton, jim, ylavic > > This one possibly/later could be addressed at > ap_getword_conf[_nocomment)() level, many/most directives should stop > on #comments no?
I'm not confident about changing ap_getword_conf() itself because it's not that remote a possibility that someone is using config lines with # for some other reason, e.g. # is legitimately used in URIs. httpd currently almost everywhere doesn't treat in-line # as special, even if it's documented to be not permitted. With an ap_getword_conf_nocomment() which silently strips comments I'd worry we'd almost be *encouraging* use of in-line comments by making them safe in some cases. For authz cases like the one in this merge, there's a strong argument for comments to be errors rather than silently ignored because previous behaviour was really quite horrible. So... tl;dr, I'm not really sure. Regards, Joe
