On Wed, Apr 4, 2018 at 1:02 PM, Nick Kew <n...@apache.org> wrote:
> On Wed, 4 Apr 2018 10:46:31 -0400
> Eric Covener <cove...@gmail.com> wrote:
>
>
>> What is the correct configuration that doesn't cause htaccess to be
>> visited?  If it's trunk only, I think it should be an alternate config
>> mechanism rather than making it incompatible with any other setting in
>> htaccess.
>
> Anything equivalent to the "canonical" example in both the
> mod_status docs and the shipped httpd-info.conf.in .
>
> Note that the latter also implies it can be restricted to
> an access list, which is misleading if any "Require" can
> be bypassed through .htaccess.
>
> # Allow server status reports generated by mod_status,
> # with the URL of http://servername/server-status
> # Change the ".example.com" to match your domain to enable.
>
> <Location /server-status>
>     SetHandler server-status
>     Require host .example.com
>     Require ip 127
> </Location>
>

That configuration has no bearing on whether htaccess files are
visited for a request to /server-status.
That's why the taint check is too aggressive in this case.

Reply via email to