On 8/3/05, Chris Johnson <johnson@xxxxxxxxxxxxxxxxxxx> wrote: > We need to prevent users with URLs of the ~<user> variety from > doing PHP or other things which execute arbirtary code. But (there's > always a but), at the same time we need to allow it for URLs not of > that type, i.e. all other references. There's the following snippet > from httpd.conf which we modified a tad > > So first question. Is that first Limit section necessary? Usually, no. It depends on what you have in other sections of httpd.conf that may deny access. > > Second question. What is it aboruit that second section, i.e. the > LimitExcept, that dissallows PHP? Nothing. That section does not disallow php; it disallows certain HTTP methods. If you have php turned off by default, then the AllowOverride directive should prevent .htaccess files from being used to turn it on again. But you may want to add something like <Location /~> php_flag engine off </Location> to be sure. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|