On Thu, Sep 21, 2017 at 10:54 AM, Yann Ylavic <ylavic....@gmail.com> wrote: > On Wed, Sep 20, 2017 at 6:36 PM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: >> >> Provided AllowOverride is None, and AllowOverrideList does not include >> "<Limit", the server should be protected, but I haven't played with >> this theory; >> https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist > > I tested this and indeed the server is protected. > This is IMHO the rigth way to control the content of .htaccess files > from httpd.conf (i.e. a white-list).
Also note that AllowOverride containing "AuthConfig" implicitely allows <Limit > in .htaccess, I think we should change this since "Limit" can be specified explicitely in AllowOverride.
