From: Rich Bowen <rbowen@apache.org>
Date: Sat, 2 May 2026 19:54:14 +0000 (+0000)
Subject: Bug 69891: Warn that <Limit> inside <Location> can silently override <Directory>... 
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bf137ca132ade17f9995512da424341713c2c05c;p=thirdparty%2Fapache%2Fhttpd.git

Bug 69891: Warn that <Limit> inside <Location> can silently override <Directory> auth

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933720 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/howto/access.xml b/docs/manual/howto/access.xml
index e8a59f2f43..5861e124d9 100644
--- a/docs/manual/howto/access.xml
+++ b/docs/manual/howto/access.xml
@@ -202,6 +202,14 @@ RewriteRule "^/fridge"     "-"       [F]
 
     <p>See also the <a href="auth.html">Authentication and Authorization</a>
     howto.</p>
+
+    <p>See the <a href="../sections.html#merging">configuration sections
+    merging documentation</a> for a warning about how
+    <directive type="section" module="core">Limit</directive> inside
+    <directive type="section" module="core">Location</directive>
+    can silently override
+    <directive type="section" module="core">Directory</directive>
+    access restrictions.</p>
 </section>
 
 </manualpage>
diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml
index 9088e5cfe6..c39f6625d9 100644
--- a/docs/manual/mod/core.xml
+++ b/docs/manual/mod/core.xml
@@ -2786,7 +2786,14 @@ methods</description>
     used in preference to a <directive type="section">Limit</directive>
     section when restricting access, since a <directive type="section"
     module="core">LimitExcept</directive> section provides protection
-    against arbitrary methods.</note>
+    against arbitrary methods.  See also the
+    <a href="../sections.html#merging">configuration sections
+    merging documentation</a> for a warning about how
+    <directive type="section">Limit</directive> inside
+    <directive type="section" module="core">Location</directive>
+    can silently override
+    <directive type="section" module="core">Directory</directive>
+    restrictions.</note>
 
     <p>The <directive type="section">Limit</directive> and
     <directive type="section" module="core">LimitExcept</directive>
diff --git a/docs/manual/sections.xml b/docs/manual/sections.xml
index e2da71e08f..e2974aa3a0 100644
--- a/docs/manual/sections.xml
+++ b/docs/manual/sections.xml
@@ -542,6 +542,21 @@ are interpreted, it is important to understand how this works.</p>
         used in <code>.htaccess</code>, the enclosed directives in a parent 
         directory will be merged <em>after</em> non-enclosed directives in a 
         subdirectory.</li>
+        <li><note type="warning"><title>Caution: &lt;Limit&gt; inside
+        &lt;Location&gt; can silently grant access</title>
+        <p>Using <directive type="section" module="core">Limit</directive>
+        inside a <directive type="section" module="core">Location</directive>
+        section to restrict authorization to specific HTTP methods can have
+        unexpected results.  For methods not listed in the
+        <directive type="section" module="core">Limit</directive>, the
+        enclosing <directive type="section" module="core">Location</directive>
+        section is treated as having no authorization requirements â which
+        effectively grants access and overrides any
+        <directive type="section" module="core">Directory</directive>
+        restrictions that would otherwise apply.  Use
+        <directive type="section" module="core">LimitExcept</directive>
+        instead, or apply authorization without method restrictions.</p>
+        </note></li>
     </ul>
 
     <note><title>Technical Note</title>
