On Mon, 01 Oct 2007 16:43:57 +0200 Ruediger Pluem <[EMAIL PROTECTED]> wrote:
> On 10/01/2007 03:30 PM, Joshua Slive wrote: > > On 10/1/07, Jim Jagielski <[EMAIL PROTECTED]> wrote: > > [summary of everyone] > No problem. OK, it's actually applying the permissions of DocumentRoot. It's also ignoring the permissions on <Location /> So my report was wrong, but we still have a bug: we shouldn't be mapping OPTIONS * to the filesystem. You can reproduce the 403 with: <Directory /> DENY </Directory> DocumentRoot /usr/local/apache/htdocs <Directory /usr/local/apache/htdocs> # no access/authnz directives at all here </Directory> <Location /> ALLOW </Location> RFC2616 tells us OPTIONS * is basically a simple HTTP ping, which suggests it could be at a 'lower' level than authconfig and always be allowed. If there is a reason to deny it, that could be by means of something analagous to TraceEnable. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/