httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: PR 47019 Limit/LimitExcept bug or documentation bug?
Date Sun, 01 Nov 2009 12:13:59 GMT
On Sunday 01 November 2009, Nick Kew wrote:
> On 31 Oct 2009, at 23:14, Stefan Fritsch wrote:
> > Hi,
> >
> > consider this config:
> > ===================
> > <Location /sec>
> > [chop]
> > <Location />
> > [chop]
> > ===================
> >
> > From the LimitExcept docs, I would expect that the <Location />
> > block does not affect GET/POST requests at all. But actually, it
> > is allowing access from everywhere, overriding the previous
> > <Location /sec> block.
> 
> http://httpd.apache.org/docs/2.2/sections.html#mergin
> 
I am aware that directives in the <Location /> section override 
directives in the earlier <Location /sec> section. But the <Location 
/> does _not_ contain anything that affects GET/POST. Therefore I 
would expect that the <Location /sec> section still applies for 
GET/POST.


The problem is that

<LimitExcept X>
 ... some access control ...
</LimitExcept>

is treated as

<LimitExcept X>
 ... some access control ...
</LimitExcept>
<Limit X>
 Allow from all
</Limit>

but this is not obvious from the documentation. And it makes it a PITA 
to globally disallow certain methods (except if using mod_rewrite).

Mime
View raw message