* SECURITY.md: Tweak wording around delegated configs.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1935333 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/SECURITY.md b/SECURITY.md
index 8d2c84da5a8e3269e273b037e71e6c6a9f7f875b..24bf4e3f2caa3b57dea8d987c4286116f1cbbb77 100644 (file)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -103,15 +103,21 @@ CVE-2012-0031.
 ## Delegated Configuration 
 
 Server configuration can be delegated to trusted local site authors by
 ## Delegated Configuration 
 
 Server configuration can be delegated to trusted local site authors by

-allowing use of .htaccess files in non-default configurations.  Local
-site authors are trusted to not attack the server with malformed or
-malicious .htaccess files (for example, files of excessive size).
+allowing use of .htaccess files in some configurations (see
+https://httpd.apache.org/docs/2.4/howto/htaccess.html).  Site authors
+gain a significant degree of control over, and access to, the server
+at run-time:

 
 

-In configurations supporting in-process scripting language interpreters
-which are not sandboxed, such as `mod_lua` or `mod_php`, local site
-authors have equivalent privileges to the less-privileged server user.
+* site authors are trusted to not attack the server with malformed or
+  malicious .htaccess files (for example, files of excessive size).
+
+* site authors gain access to some data (such as files or the
+  environment) which is otherwise restricted.

 
 

-(### TODO something about AllowOverride)
+In configurations supporting in-process scripting language interpreters
+which are not sandboxed, such as `mod_lua` or `mod_php`,
+site authors have exactly equivalent privileges to the user which the
+server runs as.

 
 ## Dependent Services
 
 
 ## Dependent Services