| Summary: | Mixing "+" and non-"+" options in <Directory> result in strange behavour | ||
|---|---|---|---|
| Product: | Apache httpd-2 | Reporter: | Davide Bianchi <davide> |
| Component: | Runtime Config | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | st |
| Priority: | P2 | Keywords: | PatchAvailable |
| Version: | 2.0.52 | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Attachments: | Reject option combinations that (at best) don't make much sense. | ||
We really need beter documentation on how _evil_ this behavoir is! Well, yes, we could just document this. This seems like a little bit of a cop-out. My preference would be that if someone mixes +/- and bare word options, we fail configtest and make them go fix it. I'll do the documentation bit, but I don't believe that fixes it. I have "fixed this in documentation" for the Options directive. However, I really don't believe that this fixes it, particularly since several Linux distros ship with this very broken syntax in their default config files. We need to throw a configtest error for this, IMHO. Docs fixed, suggestion of a runtime warning goes to a different category. Created attachment 21764 [details]
Reject option combinations that (at best) don't make much sense.
Attached patch enforces the following:
- Either merge-options or non-merge-options may be used, i.e. you cannot mix '+a' or '-a' with 'a' options anymore. The result in these cases has always been undefined and probably cannot be defined anyway.
Exception: 'All -a' or 'None +a' (but not '+a None', see below), in order to conveniently 'set all options except this'.
- Options All and None may not be used as mergers, i.e. reject +All, -All, +None, -None. There's no use in these options, '+a +b +All' is 'All', '+a +b -All' is 'None', and who would want to add or remove just nothing?
- All and None must be the first option given. 'a b All' is equal to 'All', and 'Indexes None' has at best an undefined result, it might be 'Indexes' as well as 'None' (and, by implementation, is 'None').
I like the idea, but this can never go into 2.2, since I'm sure there are many people relying on the bizarre misbehaviors of Options on current sites. I'd suggest just changing the error messages to warnings and tacking on "Proceeding with undefined results." or something like that. Otherwise, I don't have a problem with a patch like this going into 2.next. It seems like a good idea to at least make this change in trunk. People will have to update their configs when they move to the next release anyway, and it will head off problems. |
If you mix "+" and non-"+" options in a <Directory> block most of the time the '+' options are ignored. Example: <Directory "/some/dir"> Options +Indexes FollowSymLinks Will result in only the 'FollowSymLinks' option to be used. I think that the problem lay in the code that process the options. The solution is pretty simple: never mix the options. However, the config test doesn't report any problem with this configuration.