Return-Path: <dev-return-90211-archive-asf-public=cust-asf.ponee.io@httpd.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 9B28D200D08
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 21 Sep 2017 10:54:59 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 999D41609D0; Thu, 21 Sep 2017 08:54:59 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id DF26B1609B8
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 21 Sep 2017 10:54:58 +0200 (CEST)
Received: (qmail 22052 invoked by uid 500); 21 Sep 2017 08:54:57 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 22042 invoked by uid 99); 21 Sep 2017 08:54:57 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 21 Sep 2017 08:54:57 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 6EA3518D74B
	for <dev@httpd.apache.org>; Thu, 21 Sep 2017 08:54:57 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.321
X-Spam-Level: 
X-Spam-Status: No, score=-0.321 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01,
	RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001]
	autolearn=disabled
Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id dt8QgWfyzgwS for <dev@httpd.apache.org>;
	Thu, 21 Sep 2017 08:54:55 +0000 (UTC)
Received: from mail-qt0-f181.google.com (mail-qt0-f181.google.com [209.85.216.181])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id E1AC36127E
	for <dev@httpd.apache.org>; Thu, 21 Sep 2017 08:54:54 +0000 (UTC)
Received: by mail-qt0-f181.google.com with SMTP id t46so5239554qtj.2
        for <dev@httpd.apache.org>; Thu, 21 Sep 2017 01:54:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=jBzz+mCJepjRe3mQiv4ve+y87P/h1mgx/fqRw9y1Lyw=;
        b=NffTINLDvHXdophmw0lVNPWEmlJLRry2/dLE9dH8KOuMCepOEgdIC0r7zKNPu5HiIr
         VeIowxJ6YTOd8Pc3wNOfTQx3yywIJp9kvHVsftJPQomRTnpeVAjaDpcSajGno9PVv3YC
         yCYL+ijsWLWTFBx2XPbFIbLTxtBPt8TD+s4mBNFVGNSRIHgyz9PR8gaIEnUNDNmiAE6C
         GfMt9MsTbTSEERVHdnAtg8HAIEpFc79+nZOM2Yc3pB44cXU5tXtTJcMBCp8n8/T8moAL
         /L9Ygbr4AZRDds1QwlpCjEQ07ifsJTWOjGkhwaGnZswBpJWGSnVaYfOQysw8ak3/Qcv8
         unHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=jBzz+mCJepjRe3mQiv4ve+y87P/h1mgx/fqRw9y1Lyw=;
        b=bPyh4tbfJBPAI6a3TszN6Tj/qFXFCU7Mk8FcyURGNSD8zCiIlQ77Ck7DUGXoufC/1C
         WdJoqohq8VK7Tduf4rA9UYkuKNJp2tVH+oRIgDy+5xrtVToe1c+WX+Ir7gH/WqrwnNWW
         gmYZS0V1hS/fvIM93G0J1oTHxVYSCi/OdIBaRiZNOO9N2VrhJlUBISfZFqd1p7CkmEUN
         thkeqahrenfAq8BeKdn9Ztl1fxmVP3qljXKHGX9khc2IkrjLIaRz/r99/Atyq3DndHle
         zstVbjDIYf5fHF5L0ky0ze3IyHtyCYWhlXWpZzacuPkJ/x75mZQvXjQU8jTuPfySC1p3
         QoWQ==
X-Gm-Message-State: AHPjjUjateZGDz7Zvc1bBjAKCJvZ4pQ+q7dp2dzJSzu3JDQVMetYvH/a
	sWnrUfIrviIEK6cLr4h+bmwfJYAyJlJ/5R+iPts=
X-Google-Smtp-Source: AOwi7QDSTWtgavG6Q2PuCgQpuzdF5KAR6zVAoN5RVZGUFlGoVdT+3SxD6tDIgQ+5WATY2x/4gG9eWNZSJI3aKjUwVFg=
X-Received: by 10.237.62.206 with SMTP id o14mr2209284qtf.286.1505984094265;
 Thu, 21 Sep 2017 01:54:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.195.157 with HTTP; Thu, 21 Sep 2017 01:54:53 -0700 (PDT)
In-Reply-To: <CACsi253RfX7OT5NhZCKRru2JpOKoscux=jzDzJOnbcF31XHmMw@mail.gmail.com>
References: <CACsi253RfX7OT5NhZCKRru2JpOKoscux=jzDzJOnbcF31XHmMw@mail.gmail.com>
From: Yann Ylavic <ylavic.dev@gmail.com>
Date: Thu, 21 Sep 2017 10:54:53 +0200
Message-ID: <CAKQ1sVO=xqaRVu=iw9P0VqgiAAGtyu0=iHGMut4EA+nAR9w_Og@mail.gmail.com>
Subject: Re: Understanding OptionsBleed
To: httpd-dev <dev@httpd.apache.org>
Content-Type: text/plain; charset="UTF-8"
archived-at: Thu, 21 Sep 2017 08:54:59 -0000

On Wed, Sep 20, 2017 at 6:36 PM, William A Rowe Jr <wrowe@rowe-clan.net> wrote:
>
> Provided AllowOverride is None, and AllowOverrideList does not include
> "<Limit", the server should be protected, but I haven't played with
> this theory; https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist

I tested this and indeed the server is protected.
This is IMHO the rigth way to control the content of .htaccess files
from httpd.conf (i.e. a white-list).