httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41760] - .htaccess file ignored if AllowOverride None is used
Date Mon, 05 Mar 2007 21:42:32 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41760>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41760


unruh@physics.ubc.ca changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |




------- Additional Comments From unruh@physics.ubc.ca  2007-03-05 13:42 -------
Let me try once again. 
A .htaccess file on a directory should mean that the organizer of that directory
wants to place some access control on that directory. That is why apache, when
it finds a .htaccess file which it cannot read ( eg due to permissions) it
disallows all access. It assumes that the user has made a mistake, which
happens. (Good software design is in part trying to figure out what mistakes a
user could make and anticipates them). 
In this case, a .htaccess file exists, and if for some reason the .conf file is
changed ( as happens when people upgrade, or reinstall) and if it happens that
the  config file has AllowOverride None ( which is the default apparently) then
suddenly the .htaccess files are ignored. 
This is a security hole and a bug, no matter if this is how it has always been
or not. 

I am a non- maive user, and I have been bitten. Whether or not I should have
known that AllowOverride None disables all .htaccess files or not is irrelevant.
Anything which destroys security is a bug.

Note that there is nothing in the manual either that states that AllowOverride
None makes .htaccess files ignored. 
Note also that the description of the AllowOverride says that None is the most
conservative choice. It is not, it is the most insecure choice.

The presence of a .htaccess file should always trigger security, with the
default being no access. The default should NEVER be to allow all access if a
.htaccess file exists. 



-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message