httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@liege.ICS.UCI.EDU>
Subject Re: override mask semantics
Date Thu, 03 Oct 1996 01:19:23 GMT
>> where parms->override is set according to where the directive occurs:
>> 
>>    *.conf   --> override = (RSRC_CONF|OR_ALL)&~(OR_AUTHCFG|OR_LIMIT);
>> 
>>    within <Directory> or <Location> --> override = OR_ALL|ACCESS_CONF;
>> 
>>   .htaccess --> override = core_dir->override;   /* AllowOverride, I assume
*/
>> 
>> <Limit> and <Files> do not change the override value, which seems odd.
> 
> Not setting <Files> to OR_ALL|ACCESS_CONF is a defenitely a bug, and
> should be fixed. Probably someone (me) just accidentally deleted the
> line.

Hmmm, I don't know.  The reason <Directory> and <Location> can set it to
(OR_ALL|ACCESS_CONF) is because they are only allowed in *.conf.
If <Files> is allowed in .htaccess, then the current behavior is
probably correct.  Hmmm, I guess that begs the question: is <Files>
allowed in .htaccess?

Right now, we have

{ "<Files", filesection, NULL, OR_ALL, RAW_ARGS, NULL },

in which the OR_ALL seems odd to me (it implies that the directory
must have AllowOverride All in order to set anything via <Files>).
I think it should be either RSRC_CONF (meaning only allowed in *.conf)
or OR_NONE (meaning it should inherit the overrides of the context).

Aaarrgghh, hold on -- I have been assuming that the purpose of the
req_override argument was to indicate the union of overrides that
are necessary.  If, instead, it is supposed to indicate the intersection
(as in, this command is allowed if *any* of these overrides are allowed),
then that would explain

    if ((parms->override & cmd->req_override) == 0)
        return pstrcat (parms->pool, cmd->name, " not allowed here", NULL);

Hey RST, can you confirm one way or the other?  That is, does

    (OR_AUTHCFG|OR_LIMIT) mean
         "anywhere that AuthConfig AND Limit are allowed to be overridden"
     or  "anywhere that AuthConfig OR Limit is allowed to be overridden"?

The API.html (and what I expected) led me to believe the former, but
the code is currently doing the latter.

.....Roy

Mime
View raw message