httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <>
Subject RE: cvs commit: httpd-2.0 STATUS
Date Mon, 10 Sep 2001 17:04:42 GMT
> -----Original Message-----
> From: William A. Rowe, Jr. []
> > 2. It encourages people to use <Location> where they should be
> using <Directory>.
> > (Imagine if you protected this <Location> block with basic
> auth, but forgot
> > that another URL can access the same directory.)
> Wouldn't matter.  The beauty is that the <Location > protection
> is applied again.
> In some Location's - relative to a virtual host, I allow DAV
> access to a branch
> of the filename space.  In others, I don't allow DAV, but I allow
> the usual GET/POST.

Sure, <Location> is great for some special cases.  But we have always, in
general, recommended that <Directory> be used wherever possible if you are
dealing with the filesystem.  There are just too many ways for multiple URLs
to map to a directory.

DocumentRoot /www
<Location /foo>
MapToFilePath /www/bar
Require valid-user

Now request
What would happen on a case-insensitive file system?  I don't know the
answer, but there are tons of special cases like this.  (Another example:
Suppose that LocationMatch was used instead of location and the request was
for  This would certainly bypass auth.)

Your suggestion does not create any new problems (all of these things can
also happen with Alias), but it encourages people to use a configuration
that can be less secure.

Other than that, I agree it is cute and useful.


View raw message