httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41760] - .htaccess file ignored if AllowOverride None is used
Date Tue, 06 Mar 2007 01:53:43 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41760>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41760





------- Additional Comments From unruh@physics.ubc.ca  2007-03-05 17:53 -------
OK, it is clear that this is not going to be addressed. One of the selling
points of Apache is taking security seriously, but in this case tradition is
clearly more important than security. 

It is true that I went by the comments in the .conf file re the AllowOverride
and did not see the comment in the documentation that None would disable all
.htaccess. Note that the "Myths" clearly states "The only people to use
.htaccess should be end-users who want control without having to bug the server
admin." Which means that some action on the part of the sysadmin ( changing the
AllowOverride to None) either deliberately or by accident ( installing a new
version of Apache) can destroy the user's security. I would call that a design
bug, but apparently this is a feature, not a bug. 

I had a bunch of solutions for assignments on a web directlory which was not
supposed to be seen by students ( and no I do not want to bury the security deep
inside a config file which changes each time the system is upgraded-- security
belongs with the stuff being protected, not buried somewhere else) and suddenly
discovered it was available to all. ( I had my own machine as allowd in the
.htaccess file, so was not surprised that I ccould see the pages.)

I will continue to think that this is idiotic behaviour for anyone who takes
security at all seriously, but no longer expect that anyone else will pay any
attention to my ranting about it, so with this rant will quit.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message