Hi Joe, 2018-03-16 10:38 GMT+01:00 Joe Orton <[email protected]>:
> On Thu, Mar 08, 2018 at 11:05:29PM +0100, Yann Ylavic wrote: > > On Thu, Mar 8, 2018 at 11:00 PM, <[email protected]> wrote: > > > > > > *) mod_access_compat, mod_authz_host: Prevent access control > misconfiguration > > > due to interpretation of #comments in Require host or Allow/Deny > directives. > > > trunk patch: http://svn.apache.org/r1667676 > > > http://svn.apache.org/r1826207 > > > 2.4.x patch: trunk works, svn merge -c 1667676,1826207 > ^/httpd/httpd/trunk . > > > - +1: jorton, jim, > > > + +1: jorton, jim, ylavic > > > > This one possibly/later could be addressed at > > ap_getword_conf[_nocomment)() level, many/most directives should stop > > on #comments no? > > I'm not confident about changing ap_getword_conf() itself because it's > not that remote a possibility that someone is using config lines with # > for some other reason, e.g. # is legitimately used in URIs. httpd > currently almost everywhere doesn't treat in-line # as special, even if > it's documented to be not permitted. > Makes sense! > With an ap_getword_conf_nocomment() which silently strips comments I'd > worry we'd almost be *encouraging* use of in-line comments by making > them safe in some cases. For authz cases like the one in this merge, > there's a strong argument for comments to be errors rather than silently > ignored because previous behaviour was really quite horrible. > >From my point of view, adding a comment nearby a directive (except in some cases like you explained above) should be totally safe and transparent to the user. I haven't ever thought about the possibility that having a inline comment could be dangerous, and in my opinion we should enforce this vision and explicitly document when it is not possible it and why. The above is my naive view though (after working on this project for a very short time) so I'd really like to know what's your angle about not encouraging inline comments (pretty sure that there are use cases that I didn't think of, and that might be good to be documented). Thanks! Luca
