httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [users@httpd] "Define" directive is ALWAYS parsed
Date Sun, 18 Sep 2016 19:30:59 GMT
On Sun, Sep 18, 2016 at 3:25 PM, Adam <adam.vest@vestfarms.com.invalid> wrote:
> Ah yes, the monkey wrench. So the reason why going that route isn't an
> option is because this is being done in a shared environment, with .htaccess
> enabled for users. In an environment like that, anyone can just drop
> SetHandler server-info into any .htaccess they want and get all of that
> (sometimes sensitive) info. Due to the nature of all this, it was looking
> like the only way to truly limit who could gain access to that info would be
> to only load the module itself under specific circumstances, which is what
> led me to where I'm at now.

That's just not possible, modules can only be loaded at startup.

>
> Is there a way I've not yet found that allows me to disable using SetHandler
> in an .htaccess context (while still allowing other things), or to not allow
> defining server-info there?

You cannot really do it well.  You can block  all of FileInfo, or list
what's overideable in AllowOverrideList but you can't use negation in
that.

There has been discussion in the past about moving some mods (like
info and status) away from SetHandler configuration for this very
reason but nothing was ever implemented.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message