httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: mod_include and ap_expr
Date Sun, 15 May 2011 11:37:49 GMT
On 15 May 2011, at 1:22 PM, Stefan Fritsch wrote:

> So you implemented it more as a safeguard against confusion with "- 
> A" strings in existing expressions than as a security measure?


> Do you think that untrusted shmtl files are not a common use case?  
> In that case I would tend to the "people can always switch back to  
> the old restricted expression syntax" solution.

I don't follow what you mean by "untrusted shtml files"?

What the -A option does is say "if this particular request for this  
URL would succeed should this particular user attempt to access this  
particular URL directly, then show this data". Or in English, you  
would use the -A option within a page to show or hide links to  
something in a page depending on whether that person has access to  
that link.

For example, to hide the link to JIRA from those that don't have  
access to JIRA, do this:

<!--#if expr="-A /jira/"-->
<tr><td><a href="/jira/secure/Dashboard.jspa?os_authType=basic">JIRA</


It works the exact same way that mod_autoindex works, which also sets  
up subrequests to answer the question "should I display this  
particular file in the directory listing". If the subrequest returns  
some kind of error (>= 400), the module goes "oh well, access to that  
file not permitted, will leave it off the list".


View raw message