httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: Authentication
Date Thu, 03 Oct 2002 00:43:29 GMT
On Wed, 2 Oct 2002, Jerry Baker wrote:

> Joshua Slive says:
> > This has the effect of leaving GET unrestricted, according to the bug
> > report.  Is this correct behavior?  It seems like, since the other methods
> > are not change by the <limitexcept>, the require should still apply to
> > them.
>
> I agree. The LimitExcept directive implies that the limit will apply to
> everything with the exception of what follows (POST, HEAD, GET, etc.).
> "Except" is negative in nature - meaning exclusion. It implies that
> nothing will be done to those requests since the directive says they are
> to be excluded. Since Apache uses the LimitExcept directive to apply
> some sort of context to the HTTP requests in that directive, it's not
> really excluding those requests from the directive. It's semantics, but
> important ones.
>
> Users get clues about how config directives work by the meaning of the
> words used. In this case, "except" is misleading. It should be changed
> to <DontLimit GET HEAD POST>. There is a difference.

No.  <limitexcept> should be corrected not to touch the other methods.
Otherwise, things like this wouldn't work:

<limitexcept GET>
require valid-user
</limit>
<limit GET>
order deny,allow
deny from badguy.com
</limit>

Joshua.


Mime
View raw message