of performance and to allow automount symlinks to be followed, we
mistakenly opened access to the entire directory system by default.
I noticed this because all of the /~user directories are available
by default without any restrictions, which is a bad idea for anything
other than one server within a department of shared users. However,
it also makes it easier to serve files anywhere on disk by mistake,
and makes other URI-handling bugs more severe than they would be
otherwise. Therefore, this patch reinstates access control to deny
access to all files other than under DocumentRoot, icons, and manual,
until additional directory/locations are explicitly allowed by the admin.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100593
13f79535-47bb-0310-9956-
ffa450edef68
<Directory />
Options FollowSymLinks
AllowOverride None
+ Order deny,allow
+ Deny from all
</Directory>
#
#
# UserDir: The name of the directory that is appended onto a user's home
-# directory if a ~user request is received.
+# directory if a ~user request is received. Note that you must also set
+# the default access control for these directories, as in the example below.
#
<IfModule mod_userdir.c>
UserDir public_html
<Directory />
Options FollowSymLinks
AllowOverride None
+ Order deny,allow
+ Deny from all
</Directory>
#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received. Be especially careful to use
# proper, forward slashes here. On Windows NT, "Personal/My Website"
-# is a more appropriate choice.
+# is a more appropriate choice. Note that you must also set the default
+# access control for these directories, as in the example below.
#
UserDir "My Documents/My Website"
projects / apache / commitdiff