On Fri, Sep 14, 2007 at 07:10:22PM -0500, Jacob Yocom-Piatt wrote: > have a few apache config settings that are needed in an .htaccess file, > such as SetEnvIf, RewriteEngine, RewriteBase and RewriteRule. by having > "AllowOverride All" for the Directory corresponding to where the > .htaccess file resides one can have these additional settings in the > .htaccess file and work properly. > > is there a more fine-grained way to allow config settings like mentioned > above in .htaccess files? would also be nice to know if having the > "AllowOverride All" for a given directory is much of a security worry.
"AllowOverride All" means that if someone manages to put .htaccess anywhere lower tree then they can override things you didn't intend, etc. It's not especially nice. Don't think "show me an exploit," think attack mitigation. Do you *really* need to do this in .htaccess? Anything you can accomplish there can also be done in <Directory> in the config, no? -- Darrin Chandler | Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
