As far as I know, the default has not changed since the directive was introduced: DefaultThe treatment of requests with trailing pathname information is determined by the handler <http://httpd.apache.org/docs/2.4/handler.html> responsible for the request. The core handler for normal files defaults to rejecting PATH_INFO requests. Handlers that serve scripts, such as cgi-script <http://httpd.apache.org/docs/2.4/mod/mod_cgi.html> and isapi-handler <http://httpd.apache.org/docs/2.4/mod/mod_isapi.html>, generally accept PATH_INFO by default.
On Thu, Nov 13, 2014 at 11:45 AM, Christoph Gröver <gro...@sitepark.com> wrote: > > Hello list, > > > This is usually the intended behavior. Many PHP frameworks use > > PATH_INFO to handle requests. > > > > See the documentation for AcceptPathInfo: > > http://httpd.apache.org/docs/current/mod/core.html#acceptpathinfo > > Thanks Yehuda. I see why this is being used. Is this the default for > a long time? > Last time I checked the use of trailing slashes or other nonsense > to bypass security features it didn't work. > > I run a module which should restrict the use of certain URLs, so I > think I have to prevent this configuration somehow. > > Thanks for the link. > Greetings > > -- > Christoph Gröver >
