Return-Path: Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 13946 invoked by uid 500); 5 Feb 2002 15:47:34 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 13910 invoked from network); 5 Feb 2002 15:47:34 -0000 Message-ID: <3C600053.B11EFD43@Golux.Com> Date: Tue, 05 Feb 2002 10:54:59 -0500 From: Rodent of Unusual Size Organization: The Apache Software Foundation X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Cliff Woolley wrote: > > Reverted. Ta. 401 and 500 are (or can be) slightly special cases. 401 because we're not sure the user can access the resource and shouldn't let him know it even exists without that surety. And 500 because we're not sure what went wrong, and if the config error were fixed it might deny access. Paranoia mode. 403 is one of those on-the-fence things; we know access is categorically denied, but should we tell the user since he can (presumably) never get it? You'll find proponents on boths sides, but most security people will plump for obscuring the resource's existence. Good work, though, Cliff, and fast. :-) -- #ken P-)} Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/ Author, developer, opinionist http://Apache-Server.Com/ "Millennium hand and shrimp!"