httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: [STATUS] (apache-1.3) long pathnames with many components
Date Sat, 23 Nov 2002 05:50:34 GMT
At 12:04 AM 11/21/2002, Glenn wrote:
>And now a question about the code: why bother checking for .htaccess files
>outside of valid DocumentRoots (or UserDirs)?  If you need to set directives
>above the document root, create a <Directory> block in httpd.conf.

Apache checks whatever you ask it to.  If your config includes the
AllowOverrides none at the <Directory /> layer, and AllowOverrides x
at the <Directory "{docroot}"> layer, it does exactly what you want.

One server's docroot may be simply a node within another vhost.

>Also for Apache 3.0, can AllowOverride None be the default?
>It is a more secure default, besides providing better performance.

Just as I said.  You actually decrease security if the administrator
has populated .htaccess files and you flip the default on them.

I'm not against a commented out AllowOverrides None within the
default <Directory /> block, explaining it's behavior and why one
would enable that directive.  Feel free to offer such a patch to
the httpd-std.conf files.


View raw message