On Thu, Apr 23, 2009 at 8:31 AM, Joe Orton <[email protected]> wrote:
> These are fixable but one question is left on how a particular > combination of Includes and IncludesNoExec is interpreted: > > - if httpd.conf has "Options Includes", and an .htaccess file has > "Options +IncludesNoExec" - should exec= be permitted in an SSI? I don't think so; .htaccess is an override of httpd.conf (admittedly, that's a bit squirrel-y with Includes vs. IncludesNoExec ;) ) It is useful to be able to turn off Exec in .htaccess. Currently, either of these in .htaccess will override Options Include in httpd.conf: a. Options -Includes +IncludesNoExec b. Options +IncludesNoExec I have no guess on the relative use; I would prefer not breaking either.
