httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@liege.ICS.UCI.EDU>
Subject Re: override mask semantics
Date Thu, 03 Oct 1996 01:19:23 GMT
>> where parms->override is set according to where the directive occurs:
>>    *.conf   --> override = (RSRC_CONF|OR_ALL)&~(OR_AUTHCFG|OR_LIMIT);
>>    within <Directory> or <Location> --> override = OR_ALL|ACCESS_CONF;
>>   .htaccess --> override = core_dir->override;   /* AllowOverride, I assume
>> <Limit> and <Files> do not change the override value, which seems odd.
> Not setting <Files> to OR_ALL|ACCESS_CONF is a defenitely a bug, and
> should be fixed. Probably someone (me) just accidentally deleted the
> line.

Hmmm, I don't know.  The reason <Directory> and <Location> can set it to
(OR_ALL|ACCESS_CONF) is because they are only allowed in *.conf.
If <Files> is allowed in .htaccess, then the current behavior is
probably correct.  Hmmm, I guess that begs the question: is <Files>
allowed in .htaccess?

Right now, we have

{ "<Files", filesection, NULL, OR_ALL, RAW_ARGS, NULL },

in which the OR_ALL seems odd to me (it implies that the directory
must have AllowOverride All in order to set anything via <Files>).
I think it should be either RSRC_CONF (meaning only allowed in *.conf)
or OR_NONE (meaning it should inherit the overrides of the context).

Aaarrgghh, hold on -- I have been assuming that the purpose of the
req_override argument was to indicate the union of overrides that
are necessary.  If, instead, it is supposed to indicate the intersection
(as in, this command is allowed if *any* of these overrides are allowed),
then that would explain

    if ((parms->override & cmd->req_override) == 0)
        return pstrcat (parms->pool, cmd->name, " not allowed here", NULL);

Hey RST, can you confirm one way or the other?  That is, does

         "anywhere that AuthConfig AND Limit are allowed to be overridden"
     or  "anywhere that AuthConfig OR Limit is allowed to be overridden"?

The API.html (and what I expected) led me to believe the former, but
the code is currently doing the latter.


View raw message