httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: "Forbid" directive in core?
Date Mon, 10 Jun 2013 21:04:33 GMT
On Monday 10 June 2013, Tim Bannister wrote:
> On 10 Jun 2013, at 15:17, Graham Leggett <minfrin@sharp.fm> wrote:
> > On 10 Jun 2013, at 3:35 PM, Eric Covener <covener@gmail.com> 
wrote:
> >> I'd like to add an immutable Forbid directive to the core and
> >> use it in some places in the default configuration instead of
> >> "require all denied".
> >> 
> >> http://people.apache.org/~covener/forbid.diff
> >> 
> >> This protects from a broad <Location or <If being added that
> >> supercedes Directory/Files.
> > 
> > Does Location supercede Directory/Files?
> > 
> > My understanding is that if the Directory/Files says no, then the
> > access is denied, regardless of what Location says. Or to state
> > it another way, we are successful until the first directive
> > comes along that says denied. We don't deny, and then later on
> > change our mind and succeed again.
> 
> I think that “dangerous” behaviour IS how httpd behaves. Have a
> look at the end of
> http://httpd.apache.org/docs/2.4/sections.html#merging

I think the real problem is that AuthzMerging defaults to "off". 
Having a default of "and" would have been a lot safer, but that cannot 
be changed in 2.4 anymore. And there is not even a way to make 
AuthzMerging default to "and" globally. Time for a 
"DefaultAuthzMerging XXX" or an "AuthzMerging XXX inherit" directive?

Mime
View raw message