[WEB SECURITY] apache issue

Mike Duncan security at randomtask.net
Wed Jun 8 09:16:50 EDT 2005

Hash: SHA1

Jay D. Dyson wrote:
> On Tue, 7 Jun 2005, Ivan Ristic wrote:
>>>> <Limit GET>
>>>>    order deny,allow
>>>>    deny from all
>>>> </Limit>
>>> This will only reject GET and HEAD requests (HEAD is always implied
>>> when GET is used), allowing all other request methods to proceed.
>     All true.  What I posted was strictly as a basic example.

When asking for help about such specifics, you should really try to give
us all the information and NOT examples. In writing the examples you may
be missing something. There is nothing wrong in pasting the relevant
httpd.conf or .htaccess lines here.

You said above that you would like the .htaccess to take precedance over
the global configuration file, but you use AllowOverride None. You
should set the AllowOverride to something else.

- From the Apache 2.0 manual

When the server finds an .htaccess file (as specified by AccessFileName)
it needs to know which directives declared in that file can override
earlier configuration directives.

Only available in <Directory> sections. AllowOverride is valid only in
<Directory> sections specified without regular expressions, not in
<Location>, <DirectoryMatch> or <Files> sections.

When this directive is set to None, then .htaccess files are completely
ignored. In this case, the server will not even attempt to read
.htaccess files in the filesystem.

> -Jay
>    (    (                                                      _______
>    ))   ))  .-"There's always time for a good cup of coffee"-.  >====<--.
>  C|~~|C|~~| \----- Jay D. Dyson -- jdyson at treachery.net -----/ |    = |-'
>   `--' `--'  `-- Pardon me, but am I on the right planet? --'  `------'
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list