> I still want to see it solved on the Apache side. I don't think you'll see this solved the way you want, so we're going to need to live with it one way or another.
> Any workarounds suck, but inevitable. > because you unescape just a few things at the moment. Later you will > want to extend this list. perhaps. notice I didn't try an unescape \b or some of the others because I don't expect them to show up in the test suite and becuase really it's the newline thing that really makes this hell for us. > And it doesn't help non A-T users. twas never the intent. > And this > practice is very questionable in terms of circumventing the security > this change has been made for. I don't think so. the security issue was for rogue people trying to access the server remotely via URL query. for software on the box to do this, it hardly needs to resort to such antics - simply adding shell code to TEST.PL is sufficient. > > The particular problem with your patch is the slurp mode. Quite often I > have enormous, up to 100MB error_log files. You don't want to slurp and > rewrite them in memory. Even w/o the slurp issue it's also going to be > quite slow. yes, good point. > > I'm very unhappy about this change in Apache, but besides me everybody > keeps quiet and doesn't complain/looking for solutions in the core of > the problem, I won't be surprised that it'll stay that way. httpd core has chosen their path, giving a valid reason for doing so. complaining won't get anything else accomplished, other than removing karma. the only thing that bothers me is that they don't have a compile-time option to turn it off. > > If Apache doesn't remove this change, I'm thinking that we will provide > an alternative implementation in mod_perl and have a compile time option > which will choose Apache's implementation vs. ours (ours will be just a > copy of Apache's core implementation before this change). How does this > sound? Of course users should be aware of the potential risks if they > choose ours. yucko. --Geoff --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
