From: Joe Orton <jorton@apache.org>
Date: Mon, 15 Jun 2026 08:05:09 +0000 (+0000)
Subject: * SECURITY.md: Tweak wording around delegated configs.
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;p=thirdparty%2Fapache%2Fhttpd.git

* SECURITY.md: Tweak wording around delegated configs.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1935333 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/SECURITY.md b/SECURITY.md
index 8d2c84da5a..24bf4e3f2c 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -103,15 +103,21 @@ CVE-2012-0031.
 ## Delegated Configuration 
 
 Server configuration can be delegated to trusted local site authors by
-allowing use of .htaccess files in non-default configurations.  Local
-site authors are trusted to not attack the server with malformed or
-malicious .htaccess files (for example, files of excessive size).
+allowing use of .htaccess files in some configurations (see
+https://httpd.apache.org/docs/2.4/howto/htaccess.html).  Site authors
+gain a significant degree of control over, and access to, the server
+at run-time:
 
-In configurations supporting in-process scripting language interpreters
-which are not sandboxed, such as `mod_lua` or `mod_php`, local site
-authors have equivalent privileges to the less-privileged server user.
+* site authors are trusted to not attack the server with malformed or
+  malicious .htaccess files (for example, files of excessive size).
+
+* site authors gain access to some data (such as files or the
+  environment) which is otherwise restricted.
 
-(### TODO something about AllowOverride)
+In configurations supporting in-process scripting language interpreters
+which are not sandboxed, such as `mod_lua` or `mod_php`,
+site authors have exactly equivalent privileges to the user which the
+server runs as.
 
 ## Dependent Services