https://bz.apache.org/bugzilla/show_bug.cgi?id=69891
Rich Bowen <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #1 from Rich Bowen <[email protected]> --- Added a warning to the configuration sections merging documentation explaining that <Limit> inside <Location> can silently grant access for non-listed HTTP methods, overriding <Directory> restrictions. The issue: when <Limit CONNECT> wraps a Require directive inside <Location />, non-CONNECT requests see the <Location> section as having no authorization requirements — which overrides any <Directory>-level denials due to the merge order. Cross-references added from: - <Limit> directive documentation (core.xml) - Access Control howto (howto/access.xml) Patched in r1933720 (trunk), r1933721 (2.4). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
