On Tue, Jan 15, 2008 at 03:44:11PM +0100, Boyle Owen wrote: > That's a matter of opinion - I guess you are expecting it only to block > the PHP file if it exists. But that would mean that apache would have to > stat the file (ie, expensive file operation) even though it knows that > it is going to deny access anyway. That seems pretty pointless in the > general case so it just sends the 403 straight away, before it wastes > time looking up the file. I think it is also security relevant. If you would send a 403 on an existing file and 404 on a non-existing one, an attacker could use this behaviour to scan a site. regs, Christian --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|