On Monday 10 June 2013, Tim Bannister wrote: > On 10 Jun 2013, at 15:17, Graham Leggett <minf...@sharp.fm> wrote: > > On 10 Jun 2013, at 3:35 PM, Eric Covener <cove...@gmail.com> wrote: > >> I'd like to add an immutable Forbid directive to the core and > >> use it in some places in the default configuration instead of > >> "require all denied". > >> > >> http://people.apache.org/~covener/forbid.diff > >> > >> This protects from a broad <Location or <If being added that > >> supercedes Directory/Files. > > > > Does Location supercede Directory/Files? > > > > My understanding is that if the Directory/Files says no, then the > > access is denied, regardless of what Location says. Or to state > > it another way, we are successful until the first directive > > comes along that says denied. We don't deny, and then later on > > change our mind and succeed again. > > I think that “dangerous” behaviour IS how httpd behaves. Have a > look at the end of > http://httpd.apache.org/docs/2.4/sections.html#merging
I think the real problem is that AuthzMerging defaults to "off". Having a default of "and" would have been a lot safer, but that cannot be changed in 2.4 anymore. And there is not even a way to make AuthzMerging default to "and" globally. Time for a "DefaultAuthzMerging XXX" or an "AuthzMerging XXX inherit" directive?