httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject RE: cvs commit: httpd-2.0 STATUS
Date Mon, 10 Sep 2001 17:04:42 GMT
> -----Original Message-----
> From: William A. Rowe, Jr. [mailto:wrowe@rowe-clan.net]
> > 2. It encourages people to use <Location> where they should be
> using <Directory>.
> > (Imagine if you protected this <Location> block with basic
> auth, but forgot
> > that another URL can access the same directory.)
>
> Wouldn't matter.  The beauty is that the <Location > protection
> is applied again.
> In some Location's - relative to a virtual host, I allow DAV
> access to a branch
> of the filename space.  In others, I don't allow DAV, but I allow
> the usual GET/POST.
>

Sure, <Location> is great for some special cases.  But we have always, in
general, recommended that <Directory> be used wherever possible if you are
dealing with the filesystem.  There are just too many ways for multiple URLs
to map to a directory.
Imagine:

DocumentRoot /www
<Location /foo>
MapToFilePath /www/bar
Require valid-user
</Location>

Now request http://example.com/FOO/
What would happen on a case-insensitive file system?  I don't know the
answer, but there are tons of special cases like this.  (Another example:
Suppose that LocationMatch was used instead of location and the request was
for http://example.com//FOO/.  This would certainly bypass auth.)

Your suggestion does not create any new problems (all of these things can
also happen with Alias), but it encourages people to use a configuration
that can be less secure.

Other than that, I agree it is cute and useful.

Joshua.


Mime
View raw message