On Wed, 2 Oct 2002, Jerry Baker wrote: > Joshua Slive says: > > This has the effect of leaving GET unrestricted, according to the bug > > report. Is this correct behavior? It seems like, since the other methods > > are not change by the <limitexcept>, the require should still apply to > > them. > > I agree. The LimitExcept directive implies that the limit will apply to > everything with the exception of what follows (POST, HEAD, GET, etc.). > "Except" is negative in nature - meaning exclusion. It implies that > nothing will be done to those requests since the directive says they are > to be excluded. Since Apache uses the LimitExcept directive to apply > some sort of context to the HTTP requests in that directive, it's not > really excluding those requests from the directive. It's semantics, but > important ones. > > Users get clues about how config directives work by the meaning of the > words used. In this case, "except" is misleading. It should be changed > to <DontLimit GET HEAD POST>. There is a difference.
No. <limitexcept> should be corrected not to touch the other methods. Otherwise, things like this wouldn't work: <limitexcept GET> require valid-user </limit> <limit GET> order deny,allow deny from badguy.com </limit> Joshua.