Slive, Joshua wrote:
> 1. (Important) As OtherBill has been trying to point out, <Location> is
> applied after <Directory>. Therefore,
> if you put these things in <Location />, lots of things in <Directory> will
> fail to work. People won't understand why
> this doesn't deny access to anything:
>
> <Location />
> Order allow,deny
> allow from all
> </Location>
> <Directory /path/to/really/secret/stuff>
> deny from all
> </Directory>
And, IMO, this is just plain wrong, and needs to be fixed. It should
never be possible for <Location> to override <Directory> with looser
access restrictions, just as it should not be possible for <Directory>
to override <Location> with looser permissions. In both cases, access
should be determined by the most restrictive specification for a given
resource. Doing anything else opens up lots of opportunities for
accidental security holes and is just bad design.
-alex
