On Sun, Sep 18, 2016 at 3:25 PM, Adam <adam.vest@xxxxxxxxxxxxx.invalid> wrote:Ah yes, the monkey wrench. So the reason why going that route isn't an option is because this is being done in a shared environment, with .htaccess enabled for users. In an environment like that, anyone can just drop SetHandler server-info into any .htaccess they want and get all of that (sometimes sensitive) info. Due to the nature of all this, it was looking like the only way to truly limit who could gain access to that info would be to only load the module itself under specific circumstances, which is what led me to where I'm at now.That's just not possible, modules can only be loaded at startup.Is there a way I've not yet found that allows me to disable using SetHandler in an .htaccess context (while still allowing other things), or to not allow defining server-info there?You cannot really do it well. You can block all of FileInfo, or list what's overideable in AllowOverrideList but you can't use negation in that. There has been discussion in the past about moving some mods (like info and status) away from SetHandler configuration for this very reason but nothing was ever implemented. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|