httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41760] - .htaccess file ignored if AllowOverride None is used
Date Tue, 06 Mar 2007 16:22:41 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41760>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41760





------- Additional Comments From slive@apache.org  2007-03-06 08:22 -------
Obviously this thread has already gone too far, but I can't resist.

What you don't seem to realize is that there are important reasons why you
*wouldn't* want apache to need to check for the existence of .htaccess.  In
particular, this is a significant performance drain for high-traffic static-file
sites.  

So you want to make it impossible to tune apache for high performance, because
security may be compromised by admin errors.  By the same logic, we should
remove the plain-HTTP protocol from the server and only allow SSL/TLS. 
Otherwise a bad admin could disclose sensitive information to hackers.  (Oh, and
obviously we also need to remove the AccessFileName directive, since changing
this would also cause .htaccess files to be ignored.)  

In addition, your problem was caused by multiple errors on your end.  First,
your admin made an error when upgrading.  Second, you are not following best
practices for avoiding disclosure of confidential information.  This information
should 1) not be in a web-accessible directory; and 2) have unix file-system
permissions forbidding access to the webserver process.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message