httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Bannister <is...@jellybaby.net>
Subject Re: "Forbid" directive in core?
Date Mon, 10 Jun 2013 14:26:29 GMT
On 10 Jun 2013, at 15:17, Graham Leggett <minfrin@sharp.fm> wrote:
> On 10 Jun 2013, at 3:35 PM, Eric Covener <covener@gmail.com> wrote:
> 
>> I'd like to add an immutable Forbid directive to the core and use it in some places
in the default configuration instead of "require all denied".
>> 
>> http://people.apache.org/~covener/forbid.diff
>> 
>> This protects from a broad <Location or <If being added that supercedes Directory/Files.
> 
> Does Location supercede Directory/Files?
> 
> My understanding is that if the Directory/Files says no, then the access is denied, regardless
of what Location says. Or to state it another way, we are successful until the first directive
comes along that says denied. We don't deny, and then later on change our mind and succeed
again.

I think that “dangerous” behaviour IS how httpd behaves. Have a look at the end of http://httpd.apache.org/docs/2.4/sections.html#merging

-- 
Tim Bannister – isoma@jellybaby.net


Mime
View raw message