On 12/26/2011 3:24 PM, Michael Felt wrote: > Hence - my vote - for what it is worth:
That's understood, but the vote was concluded, and the votes by the project committee members indicated a very clear consensus is that it would not be possible to provide for "untrusted" .htaccess files, in spite of a few votes to the contrary. This has been a topic of careful evaluation, unfortunately but by necessity in private on the security@ discussion list, and with this conclusion, we can begin to set about realistic expectations for web server administrators who choose to let anonymous and untrusted individuals host content plus configuration on those machines they are responsible and liable for... I'll post a document describing the dilemma tomorrow to dev@httpd, and we can update the docs accordingly.
