httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41760] - .htaccess file ignored if AllowOverride None is used
Date Tue, 06 Mar 2007 16:52:12 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41760>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41760





------- Additional Comments From unruh@physics.ubc.ca  2007-03-06 08:52 -------
Yes, it has gone on too long and I think both our positions are clear.
 However, I want nothing of the sort. 

a) I want at the very least a warning in the .conf file that setting 
AllowOverride None
disables all .htaccess control.

b) At the next level, the disabling of .htacceess control should not be 
overloaded onto a configuration option which also does something else. Put in a
separate DisableAccessControl directive, which would make it abundantly clear to
administrators. 

c) Yes, my situation did result from a number of errors, eg, Apache not warning
that AllowOverride None disables all .htaccess control and that the description
of that option claims it to be the default and to be conservative. Good software
design anticipates user's stupidities, and at the very least warns uses where
problems could occur.

I also notice that you continue to not respond to my suggestions or complaints,
but operate in a "blame the user" mode. 

This report is at the very least feedback, that there is a SECURITY issue here
that has bitten at least one user ( and by the rules of all business practice,
if one user complains, it probably means 1000 users have had theproblem and not
bothered to complain). As I said, from the response I do not believe that you
will do anything at all about this. I clearly have no control over that. I will
continue to use Apache, but will no longer believe claims that Apache takes
security seriously. But I guess that is just my opinion and my problem.





-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message