>Number: 1295 >Category: config >Synopsis: Default Options is "All" >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: duplicate >Submitter-Id: apache >Arrival-Date: Wed Oct 22 05:10:00 PDT 1997 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.4 >Environment: All >Description: This is a followup to my "critical" bug report from this morning. I was mistaken. ExecCGI does work as expected. The problem is that Options defaults to All if it is not mentioned in a <directory> section. My server had no <Directory> or <Location> sections for user-supported directories. Hence all ~username directories had ExecCGI turned on.
This seems to me to be a dangerous situation. Shouldn't Options default to "None"? At the very least, there should be some warning in the documentation about this, and a default <Location /~*> entry in access.conf-dist that establishes conservative policies. >How-To-Repeat: >Fix: >Audit-Trail: >Unformatted:
