On 10 Jun 2013, at 15:17, Graham Leggett <[email protected]> wrote: > On 10 Jun 2013, at 3:35 PM, Eric Covener <[email protected]> wrote: > >> I'd like to add an immutable Forbid directive to the core and use it in some >> places in the default configuration instead of "require all denied". >> >> http://people.apache.org/~covener/forbid.diff >> >> This protects from a broad <Location or <If being added that supercedes >> Directory/Files. > > Does Location supercede Directory/Files? > > My understanding is that if the Directory/Files says no, then the access is > denied, regardless of what Location says. Or to state it another way, we are > successful until the first directive comes along that says denied. We don't > deny, and then later on change our mind and succeed again.
I think that “dangerous” behaviour IS how httpd behaves. Have a look at the end of http://httpd.apache.org/docs/2.4/sections.html#merging -- Tim Bannister – [email protected]
