/ Zope / Apsis / Pound Mailing List / Archive / 2008 / 2008-06 / Re: HeadRequire example too broad for comfort

[ << ] [ >> ]

[ The service is not available. Please try again ... ] [ No BPROPFIND support in Pound? / Thomas M ... ]

Re: HeadRequire example too broad for comfort
Juerd Waalboer <juerd(at)convolution.nl>		 2008-06-24 20:22:41 [ FULL ] 
Robert Segall skribis 2008-06-24 18:17 (+0200):[...]

Oh, I hadn't noticed that the mailing list is the preferred place for
suggestions.

(Entire original message preserved so list members can read it.)
[...]

[...]

Indeed, the ^ and the escaping of the dots are a good idea. (I actually
did escape dots in my real config already).

If I understand correctly, the [ \t] can safely be written as \s,
because that is equivalent to [ \t\r\n] and Pound already breaks at \r
or \n. Still, though, you're right: it's better to stay on the safe side
and be specific.
[...]

I'd say that this is a dangerous and wrong assumption. In any case,
there is still a huge group of people that don't know what they're
doing, but still want security.

Perhaps it is your opinion that if you don't know what you're doing, you
don't /deserve/ security. I hope not.
[...]

What reason can there possibly be to keep the examples on the web page
intentionally dumb?

If anything, it makes you look like one of those people who don't know
what they're doing. That's a shame, because Pound really is wonderful
software.

To summarize the issues:
1. Security: the regex allows far more than it should.
2. Efficiency: .* is inefficient, especially when trailing.

And if you and I don't even write the regex correctly at the first try,
there are probably a lot of people who need more guidance than the
examples currently listed.[...]
MailBoxer