httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: Understanding OptionsBleed
Date Thu, 21 Sep 2017 09:01:16 GMT
On Thu, Sep 21, 2017 at 10:54 AM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
> On Wed, Sep 20, 2017 at 6:36 PM, William A Rowe Jr <wrowe@rowe-clan.net> wrote:
>>
>> Provided AllowOverride is None, and AllowOverrideList does not include
>> "<Limit", the server should be protected, but I haven't played with
>> this theory; https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist
>
> I tested this and indeed the server is protected.
> This is IMHO the rigth way to control the content of .htaccess files
> from httpd.conf (i.e. a white-list).

Also note that AllowOverride containing "AuthConfig" implicitely
allows <Limit > in .htaccess, I think we should change this since
"Limit" can be specified explicitely in AllowOverride.

Mime
View raw message