At 12:04 AM 11/21/2002, Glenn wrote:
>And now a question about the code: why bother checking for .htaccess files
>outside of valid DocumentRoots (or UserDirs)? If you need to set directives
>above the document root, create a <Directory> block in httpd.conf.
Apache checks whatever you ask it to. If your config includes the
AllowOverrides none at the <Directory /> layer, and AllowOverrides x
at the <Directory "{docroot}"> layer, it does exactly what you want.
One server's docroot may be simply a node within another vhost.
>Also for Apache 3.0, can AllowOverride None be the default?
>It is a more secure default, besides providing better performance.
Just as I said. You actually decrease security if the administrator
has populated .htaccess files and you flip the default on them.
I'm not against a commented out AllowOverrides None within the
default <Directory /> block, explaining it's behavior and why one
would enable that directive. Feel free to offer such a patch to
the httpd-std.conf files.
Bill
