If RewriteCond (or any other Apache directive) doesn't behave as documented, tha... | Hacker News

Hacker News .hnnew | past | comments | ask | show | jobs | submit

amiga386 10 months ago | parent | context | favorite | on: Apache HTTP Server: 'RewriteCond expr' always eval...

If RewriteCond (or any other Apache directive) doesn't behave as documented, that's a correctness issue.

If you use RewriteCond as the basis of securing your website, that's a security issue for you.

If it's a security issue for a significant number of users, or if the documentation recommends using the directive for a security role, then it's also a security issue for the product itself.

inopinatus 10 months ago [–]

If upgrade/reframe that last point more strongly. Any configuration of software that is accepted by its own parser is in product scope.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact