httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41760] - .htaccess file ignored if AllowOverride None is used
Date Tue, 06 Mar 2007 12:13:27 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41760>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41760





------- Additional Comments From nick@webthing.com  2007-03-06 04:13 -------
FWIW, this is evidently a case of the first myth discussed at
http://www.regdeveloper.co.uk/2006/08/01/apache_undead/
(In reply to comment #8)
> OK, it is clear that this is not going to be addressed. One of the selling
> points of Apache is taking security seriously, but in this case tradition is
> clearly more important than security. 

As André already said, .htaccess has nothing to do with security.  Except by
coincidence, where a user chooses to make it so.

> It is true that I went by the comments in the .conf file re the AllowOverride
> and did not see the comment in the documentation that None would disable all
> .htaccess. Note that the "Myths" clearly states "The only people to use
> .htaccess should be end-users who want control without having to bug the server
> admin." Which means that some action on the part of the sysadmin ( changing the
> AllowOverride to None) either deliberately or by accident ( installing a new
> version of Apache) can destroy the user's security.

Nonsense.  Installing a new version of Apache preserves your existing
httpd.conf, including AllowOverride settings.  To have messed it up, you must
have done something more than just upgrade.

> I would call that a design
> bug, but apparently this is a feature, not a bug. 
> 
> I had a bunch of solutions for assignments on a web directlory which was not
> supposed to be seen by students ( and no I do not want to bury the security deep
> inside a config file which changes each time the system is upgraded--

If the config file changes, then your upgrade procedure is broken.

> security
> belongs with the stuff being protected, not buried somewhere else) and suddenly
> discovered it was available to all. ( I had my own machine as allowd in the
> .htaccess file, so was not surprised that I ccould see the pages.)
> 
> I will continue to think that this is idiotic behaviour for anyone who takes
> security at all seriously, but no longer expect that anyone else will pay any
> attention to my ranting about it, so with this rant will quit.

We also take performance seriously, so if there wasn't an option to disable the
htaccess overhead, we'd have to invent one.

But this particular behaviour hasn't changed since Apache 1.0 in 1995.  That's a
long time before someone reported it as a bug.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message