On Fri, Sep 14, 2007 at 07:10:22PM -0500, Jacob Yocom-Piatt wrote:

quoted text
> have a few apache config settings that are needed in an .htaccess file,

> such as SetEnvIf, RewriteEngine, RewriteBase and RewriteRule. by having

> "AllowOverride All" for the Directory corresponding to where the

> .htaccess file resides one can have these additional settings in the

> .htaccess file and work properly.

>

> is there a more fine-grained way to allow config settings like mentioned

> above in .htaccess files? would also be nice to know if having the

> "AllowOverride All" for a given directory is much of a security worry.

"AllowOverride All" means that if someone manages to put .htaccess

anywhere lower tree then they can override things you didn't intend,

etc. It's not especially nice. Don't think "show me an exploit," think

attack mitigation.
Do you *really* need to do this in .htaccess? Anything you can

accomplish there can also be done in  in the config, no?
--

Darrin Chandler            |  Phoenix BSD User Group  |  MetaBUG

dwchandler@stilyagin.com   |  http://phxbug.org/      |  http://metabug.org/

http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation