If we agree that whitelisting is the preferred practice over blacklisting, and that the whitelist as-is was inaccurate, I believe we can accept the behavior change to trunk as well as 2.4 and 2.2 that blacklists may be loosened with the application of this patch while any sensible whitelists will be strengthened and more accurate. We want to favor more explicit behaviors, but I'd suggest that if the user really wanted something this flexible, they would have used the <LocationMatch > abstraction instead of <DirectoryMatch >, which was very explicit about its intent if not the implementation. Bill --------- Original Message --------- Subject: Fix DirectoryMatch to not match regular files? From: "Jan Kaluža" <[email protected]> Date: 10/29/14 6:18 am To: [email protected]
Hi, I was trying to fix PR41867 using attached patch. While the patch seems to work, I'm thinking if the behaviour change introduced by the patch can bring some problems. Currently, "<DirectoryMatch ^/var/www/html/private>" matches also "/var/www/html/private.txt" even it is a regular file and not a directory. With the patch, DirectoryMatch won't match "private.txt" in this case, because it's a file. While I think this is excepted behaviour of DirectoryMatch, I'm not sure if it's acceptable change in 2.4.x branch (or even trunk?). What do you think? Regards, Jan Kaluza
