Bug 69891: Warn that <Limit> inside <Location> can silently override <Directory>...

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933720 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/docs/manual/howto/access.xml b/docs/manual/howto/access.xml
index e8a59f2f43173b7af1525fee7c981169a9ece46b..5861e124d94c379ffff65721e105167eb9e4be88 100644 (file)
--- a/docs/manual/howto/access.xml
+++ b/docs/manual/howto/access.xml
@@ -202,6 +202,14 @@ RewriteRule "^/fridge"     "-"       [F]
 
     <p>See also the <a href="auth.html">Authentication and Authorization</a>
     howto.</p>
+
+    <p>See the <a href="../sections.html#merging">configuration sections
+    merging documentation</a> for a warning about how
+    <directive type="section" module="core">Limit</directive> inside
+    <directive type="section" module="core">Location</directive>
+    can silently override
+    <directive type="section" module="core">Directory</directive>
+    access restrictions.</p>
 </section>
 
 </manualpage>

diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml
index 9088e5cfe6d785e546174b1978481a3de22176ae..c39f6625d9ae4b40d22a23afe7507b1915ca539c 100644 (file)
--- a/docs/manual/mod/core.xml
+++ b/docs/manual/mod/core.xml
@@ -2786,7 +2786,14 @@ methods</description>
     used in preference to a <directive type="section">Limit</directive>
     section when restricting access, since a <directive type="section"
     module="core">LimitExcept</directive> section provides protection
-    against arbitrary methods.</note>
+    against arbitrary methods.  See also the
+    <a href="../sections.html#merging">configuration sections
+    merging documentation</a> for a warning about how
+    <directive type="section">Limit</directive> inside
+    <directive type="section" module="core">Location</directive>
+    can silently override
+    <directive type="section" module="core">Directory</directive>
+    restrictions.</note>
 
     <p>The <directive type="section">Limit</directive> and
     <directive type="section" module="core">LimitExcept</directive>

diff --git a/docs/manual/sections.xml b/docs/manual/sections.xml
index e2da71e08f5c001b75d77d9ca1fcd8601bef306b..e2974aa3a013116581d51c8edd873aaff3e4eef2 100644 (file)
--- a/docs/manual/sections.xml
+++ b/docs/manual/sections.xml
@@ -542,6 +542,21 @@ are interpreted, it is important to understand how this works.</p>
         used in <code>.htaccess</code>, the enclosed directives in a parent 
         directory will be merged <em>after</em> non-enclosed directives in a 
         subdirectory.</li>
+        <li><note type="warning"><title>Caution: &lt;Limit&gt; inside
+        &lt;Location&gt; can silently grant access</title>
+        <p>Using <directive type="section" module="core">Limit</directive>
+        inside a <directive type="section" module="core">Location</directive>
+        section to restrict authorization to specific HTTP methods can have
+        unexpected results.  For methods not listed in the
+        <directive type="section" module="core">Limit</directive>, the
+        enclosing <directive type="section" module="core">Location</directive>
+        section is treated as having no authorization requirements — which
+        effectively grants access and overrides any
+        <directive type="section" module="core">Directory</directive>
+        restrictions that would otherwise apply.  Use
+        <directive type="section" module="core">LimitExcept</directive>
+        instead, or apply authorization without method restrictions.</p>
+        </note></li>
     </ul>
 
     <note><title>Technical Note</title>