On Wed, Apr 4, 2018 at 1:02 PM, Nick Kew <n...@apache.org> wrote:
> On Wed, 4 Apr 2018 10:46:31 -0400
> Eric Covener <cove...@gmail.com> wrote:
>> What is the correct configuration that doesn't cause htaccess to be
>> visited? If it's trunk only, I think it should be an alternate config
>> mechanism rather than making it incompatible with any other setting in
> Anything equivalent to the "canonical" example in both the
> mod_status docs and the shipped httpd-info.conf.in .
> Note that the latter also implies it can be restricted to
> an access list, which is misleading if any "Require" can
> be bypassed through .htaccess.
> # Allow server status reports generated by mod_status,
> # with the URL of http://servername/server-status
> # Change the ".example.com" to match your domain to enable.
> <Location /server-status>
> SetHandler server-status
> Require host .example.com
> Require ip 127
That configuration has no bearing on whether htaccess files are
visited for a request to /server-status.
That's why the taint check is too aggressive in this case.