You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by Cliff Woolley <jw...@virginia.edu> on 2003/08/13 20:39:08 UTC
vs.
Where is the distinction between <Location> and <Directory> in terms of
access control and directory name canonicalization documented? I tried to
point someone to it and couldn't find it. That either means it's right in
front of my face (likely) or it means it needs to be put somewhere more
prominent.
Thanks,
Cliff
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: vs.
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 13 Aug 2003, Cliff Woolley wrote:
>
> Where is the distinction between <Location> and <Directory> in terms of
> access control and directory name canonicalization documented? I tried to
> point someone to it and couldn't find it. That either means it's right in
> front of my face (likely) or it means it needs to be put somewhere more
> prominent.
Here:
http://httpd.apache.org/docs-2.0/sections.html
Which should be linked from all the relevant places.
That document is much weaker in 1.3; but then again, so are a lot of
things.
Joshua.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: vs.
Posted by Cliff Woolley <jw...@virginia.edu>.
On Wed, 13 Aug 2003, Cliff Woolley wrote:
> Doh! So it does. I only looked at LocationMatch. :-/
Well, hang on, they're right next to each other (duh, alpha order). I
didn't see it because I clicked on the #locationmatch link in
directives.html and jumped right down to locationmatch. So maybe just a
warning that there are security concerns and have it refer you up to
#location for details. Sounds better.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: vs.
Posted by Cliff Woolley <jw...@virginia.edu>.
On Wed, 13 Aug 2003, Joshua Slive wrote:
> The Location docs in 2.0 say almost exactly that:
Doh! So it does. I only looked at LocationMatch. :-/
I'm going to copy that whole blurb from Location to LocationMatch if it's
alright with you.
> Also, I'm not happy anymore with how I organized sections.html. Having
> the discussion of <IfModule> and <IfDefine> right at the top puts way to
> much emphasis on these silly sections. Improvements welcome.
Actually I think it reads pretty well as a page on the whole. As for
IfModule and IfDefine, you might just insert another subhead so that that
stuff isn't under "Types of Configuration Section Containers" but under
"Conditional Directive Processing" or something. The real problem here
was that the information I was looking for WAS there, just not where I was
looking for it. A name link down to "What to use when" from Location and
LocationMatch would be good, and copying that (very useful) information
from Location to LocationMatch would also be good. I think that pretty
much covers it.
Thanks,
Cliff
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: vs.
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 13 Aug 2003, Cliff Woolley wrote:
> WARNING: Use these directives only for objects that do not reside in the
> filesystem (such as a webpage generated from a database). When applying
> directives to objects that reside in the filesystem, use <Directory> or
> <Files> instead. See the "What to use when" section of
> http://httpd.apache.org/docs-2.0/sections.html for more details.
The Location docs in 2.0 say almost exactly that:
"<Location> sections operate completely outside the filesystem. This has
several consequences. Most importantly, <Location> directives should not
be used to control access to filesystem locations. Since several different
URLs may map to the same filesystem location, such access controls may by
circumvented.
When to use <Location>
Use <Location> to apply directives to content that lives outside the
filesystem. For content that lives in the filesystem, use <Directory> and
<Files>. An exception is <Location />, which is an easy way to apply a
configuration to the entire server."
Adding a link from there to sections.html might be a good idea, however.
Also, I'm not happy anymore with how I organized sections.html. Having
the discussion of <IfModule> and <IfDefine> right at the top puts way to
much emphasis on these silly sections. Improvements welcome.
Joshua.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: vs.
Posted by Cliff Woolley <jw...@virginia.edu>.
On Wed, 13 Aug 2003, André Malo wrote:
> You mean <http://httpd.apache.org/docs-2.0/sections.html>?
Hmm, yes. I actually did look at that page (and its 1.3 counterpart)
prior to writing the guy back and prior to sending in this inquiry, but I
somehow overlooked that part of the page (I found it just now but I had to
read almost the whole page). And the documentation for <Location> and
<Directory> etc do refer to that page, but not to any particular part
of that page, and the referring link only says to go to that page "for an
explanation of how these different sections are combined when a request is
received" without warning that there are security implications. I suggest
adding a blurb (especially to the Location and LocationMatch directive
documentation in core.html) that says something like:
WARNING: Use these directives only for objects that do not reside in the
filesystem (such as a webpage generated from a database). When applying
directives to objects that reside in the filesystem, use <Directory> or
<Files> instead. See the "What to use when" section of
http://httpd.apache.org/docs-2.0/sections.html for more details.
--Cliff
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: vs.
Posted by André Malo <nd...@perlig.de>.
* Cliff Woolley wrote:
> Where is the distinction between <Location> and <Directory> in terms of
> access control and directory name canonicalization documented? I tried to
> point someone to it and couldn't find it. That either means it's right in
> front of my face (likely) or it means it needs to be put somewhere more
> prominent.
You mean <http://httpd.apache.org/docs-2.0/sections.html>?
nd
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org