Joshua Slive says: > This has the effect of leaving GET unrestricted, according to the bug > report. Is this correct behavior? It seems like, since the other methods > are not change by the <limitexcept>, the require should still apply to > them.
I agree. The LimitExcept directive implies that the limit will apply to everything with the exception of what follows (POST, HEAD, GET, etc.). "Except" is negative in nature - meaning exclusion. It implies that nothing will be done to those requests since the directive says they are to be excluded. Since Apache uses the LimitExcept directive to apply some sort of context to the HTTP requests in that directive, it's not really excluding those requests from the directive. It's semantics, but important ones. Users get clues about how config directives work by the meaning of the words used. In this case, "except" is misleading. It should be changed to <DontLimit GET HEAD POST>. There is a difference. -- Jerry Baker
