By jax on
In the .htaccess file you find the following snippet:
<FilesMatch "(\.(engine|...)$">
Order deny,allow
Deny from all
</FilesMatch>
Which means, default is Allow except requests that match one of the Deny rules. I was always told that the default should be Deny and only Allow from those that need access. So technically the following does the same but it is 'more correct':
<FilesMatch "(\.(engine|...)$">
Order allow,deny
</FilesMatch>
So actually I don't understand why the first approach was chosen. In firewalls and other security related stuff the right approach always is "Deny from all and allow what is allowed", not "Allow from all and deny what is not allowed".
Comments
Hm?
The snippet works the opposite way from what you describe. Here's an example from the mod_access documentation:
In other words, we're already doing "Deny from all and allow what is allowed." We're just not allowing any access to those files matched by the regular expression.
Nevermind, I've just been schooled by Morbus :)
Uh. I don't know why it's done that way. Because no one ever rolled a patch to do it the other way? ;)
You're on crack. Keep
You're on crack. Keep reading:
Jaza: I'd +1 a patch.
http://www.disobey.com/
http://www.gamegrene.com/
Developer of Drupal's GameAPI
http://www.disobey.com/
patch available
here http://drupal.org/node/93865