Re: Re: .htaccess and $ENV{

don't use <Limit GET POST>!! It's a leftover from NCSA days. It will actually limit authentication to only those methods, GET and POST. A malicious user can craft a request using another method, e.g. PUT, and that request will bypass your authentication. Folks, don't use LIMIT containers unless you know what you're doing.

Comment on Re: Re: .htaccess and $ENV{

Replies are listed 'Best First'.
Re: Re: Re: .htaccess and $ENV{ by mischief (Hermit) on Aug 09, 2001 at 22:16 UTC
As echo says, you shouldn't use the Limit directives in this case - it really means "only limit the http request methods...". Just to clarify, all you have to do is turn this: `<Limit GET POST> require group Xdwp </LIMIT>` [download] into this: `require valid-user` The first example means that to log in successfully, the username submitted has to match the password of that user (obviously), and also be in the group "Xdwp". In the second example, all that has to happen is that the username has to be in the password file. This has absolutely nothing to do with perl though, so I'd suggest having a look at <a href=http://httpd.apache.org/docs/mod/core.html#requirethe docs on httpd.apache.org.	[reply] [d/l] [select]
Re: Re: Re: Re: .htaccess and $ENV{ by sierrathedog04 (Hermit) on Aug 10, 2001 at 02:36 UTC
Thank you echo and mischief for pointing out that I ought not to be using Limit directives. I will fix my .htaccess file.	[reply]


Welcome to the Monastery
	PerlMonks