On Mon, 01 Oct 2007 16:43:57 +0200
Ruediger Pluem <[EMAIL PROTECTED]> wrote:
> On 10/01/2007 03:30 PM, Joshua Slive wrote:
> > On 10/1/07, Jim Jagielski <[EMAIL PROTECTED]> wrote:
>
> [summary of everyone]
> No problem.
OK, it's actually applying the permissions of DocumentRoot.
It's also ignoring the permissions on <Location />
So my report was wrong, but we still have a bug:
we shouldn't be mapping OPTIONS * to the filesystem.
You can reproduce the 403 with:
<Directory />
DENY
</Directory>
DocumentRoot /usr/local/apache/htdocs
<Directory /usr/local/apache/htdocs>
# no access/authnz directives at all here
</Directory>
<Location />
ALLOW
</Location>
RFC2616 tells us OPTIONS * is basically a simple HTTP ping,
which suggests it could be at a 'lower' level than authconfig
and always be allowed. If there is a reason to deny it,
that could be by means of something analagous to TraceEnable.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
