On Tue, 24 Apr 2007 21:12:35 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
One thing that is very important IMHO is that it is possible using
headers to turn off access to a whole server. One usecase for this would
be if a site notices some files are missconfigured and as immediate
security precaution disables access to all files while figuring out what
is wrong.
Another scenario would be a hosting server such as livejournal or
geocities wanting to disable access to all their hosted files even
though other users manage the contents of those files.
How about changing:
rule ::= "allow" (pattern)+ ("exclude" (pattern)+)?
To:
rule ::= deny | allow
deny ::= "deny" (pattern)+
allow ::= "allow" (pattern)+ ("exclude" (pattern)+)?
And then letting the algorithm in section 3 first seek through all
explicit deny clauses.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
