httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41760] - .htaccess file ignored if AllowOverride None is used
Date Tue, 06 Mar 2007 15:10:54 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41760>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41760





------- Additional Comments From unruh@physics.ubc.ca  2007-03-06 07:10 -------
OK, you want response I guess, so I will give one. 

.htaccess is and has been advocated in many places as the way to institute
security. The reason it is claimed as a myth is precisely because it is so
widely practiced. Also it makes much more sense to associate security with the
directory that is being secured than it is to burry it in a config file that
only the sysadmin is able to get at and forget about. Ie, not only is it widely
practiced, it is a sensible practice. Except on a very high volume web sites,
the overhead is minimal, and for those  high volume sites, having alternatives
in the .conf file is a great idea. 
 

b) I have suggested time and again, but you are not listening, that if
AllowOverride None is there, the presence of a .htaccess file should disallow 
access, not allow it. Security defaults should NOT, by default, switch off security.
Yes, .htaccess CAN be used for other things. I suspect that if you look around
the world, by far the greatest use of .htaccess is to limit access to
directories-- to impliment security. Ignoring that may be convenient to you, but
 I still place it in the "That's not a bug, that's a feature" category.

c) In the .conf file, AllowOverride None is called "conservative" and no mention
is made that this disables .htaccess completely. This is just wrong. Apache, as
with all computer programs, is used by people who have other jobs to do and do
not memorize the manual. They trust what is written in the sample .conf files.

d) apache has changed from Apache1 to apache2 with massive changes to the .conf
files structures, changes which continue. Furthermore for most Linux
distributions the advice is "reinstall, do not upgrade". That means that on each
reinstall .conf files must be recreated.  And a simple diff between the old and
new is impossible because so many changes have been made. It is simply
impossible for anyone without a massive excess of time on their hands to go
through each and every one of the options once again to see what it does, to see
if it destroys previously built security. One assumes that the defaults Apache
puts in will not disable security, especially from a group who claims to value
security. And to add insult to injury, Apache claims that this destruction of a
security barrier is "conservative" practice.

e) The claim "You are the first to complain about this" is the resort of
incompetent and shady businesses around the world.  I suspect that there are
still a number of bugs in apache which have been there since day 1. To dismiss a
bug report on that basis is simply idiotic. Read my resoning and argue with
that. Do not claim "tradition" to defend a bad security practice.

In my opinion, this IS a bug, and for you to defend it on the basis that it has
always been there so its OK simply makes you look bad.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message