On 10 Jun 2013, at 15:17, Graham Leggett <minf...@sharp.fm> wrote: > On 10 Jun 2013, at 3:35 PM, Eric Covener <cove...@gmail.com> wrote: > >> I'd like to add an immutable Forbid directive to the core and use it in some >> places in the default configuration instead of "require all denied". >> >> http://people.apache.org/~covener/forbid.diff >> >> This protects from a broad <Location or <If being added that supercedes >> Directory/Files. > > Does Location supercede Directory/Files? > > My understanding is that if the Directory/Files says no, then the access is > denied, regardless of what Location says. Or to state it another way, we are > successful until the first directive comes along that says denied. We don't > deny, and then later on change our mind and succeed again.
I think that “dangerous” behaviour IS how httpd behaves. Have a look at the end of http://httpd.apache.org/docs/2.4/sections.html#merging -- Tim Bannister – is...@jellybaby.net
