On Wed, Apr 4, 2018 at 7:33 PM, Eric Covener <cove...@gmail.com> wrote: > On Wed, Apr 4, 2018 at 1:02 PM, Nick Kew <n...@apache.org> wrote: >> On Wed, 4 Apr 2018 10:46:31 -0400 >> Eric Covener <cove...@gmail.com> wrote: >> >> >>> What is the correct configuration that doesn't cause htaccess to be >>> visited? If it's trunk only, I think it should be an alternate config >>> mechanism rather than making it incompatible with any other setting in >>> htaccess. >> >> Anything equivalent to the "canonical" example in both the >> mod_status docs and the shipped httpd-info.conf.in . >> >> Note that the latter also implies it can be restricted to >> an access list, which is misleading if any "Require" can >> be bypassed through .htaccess. >> >> # Allow server status reports generated by mod_status, >> # with the URL of http://servername/server-status >> # Change the ".example.com" to match your domain to enable. >> >> <Location /server-status> >> SetHandler server-status >> Require host .example.com >> Require ip 127 >> </Location> >> > > That configuration has no bearing on whether htaccess files are > visited for a request to /server-status. > That's why the taint check is too aggressive in this case.
Couldn't we have a TaintedAction (or so) directive/function which modules could check (instead of the black or white "is tainted") so that users can choose? Maybe per module choice or? We then possibly could be quite relaxed on 2.4 and more aggressive on trunk, by default. Regards, Yann.
