httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jerry Baker <>
Subject Re: Authentication
Date Thu, 03 Oct 2002 00:30:28 GMT
Joshua Slive says:
> This has the effect of leaving GET unrestricted, according to the bug
> report.  Is this correct behavior?  It seems like, since the other methods
> are not change by the <limitexcept>, the require should still apply to
> them.

I agree. The LimitExcept directive implies that the limit will apply to 
everything with the exception of what follows (POST, HEAD, GET, etc.). 
"Except" is negative in nature - meaning exclusion. It implies that 
nothing will be done to those requests since the directive says they are 
to be excluded. Since Apache uses the LimitExcept directive to apply 
some sort of context to the HTTP requests in that directive, it's not 
really excluding those requests from the directive. It's semantics, but 
important ones.

Users get clues about how config directives work by the meaning of the 
words used. In this case, "except" is misleading. It should be changed 
to <DontLimit GET HEAD POST>. There is a difference.

Jerry Baker

View raw message