Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 90953 invoked from network); 6 Mar 2007 16:23:03 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 Mar 2007 16:23:03 -0000 Received: (qmail 70690 invoked by uid 500); 6 Mar 2007 16:23:11 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 70648 invoked by uid 500); 6 Mar 2007 16:23:10 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 70635 invoked by uid 99); 6 Mar 2007 16:23:10 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Mar 2007 08:23:10 -0800 X-ASF-Spam-Status: No, hits=-99.5 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Mar 2007 08:23:01 -0800 Received: by brutus.apache.org (Postfix, from userid 33) id 6D5E7714095; Tue, 6 Mar 2007 08:22:41 -0800 (PST) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: DO NOT REPLY [Bug 41760] - .htaccess file ignored if AllowOverride None is used In-Reply-To: X-Bugzilla-Reason: AssignedTo Message-Id: <20070306162241.6D5E7714095@brutus.apache.org> Date: Tue, 6 Mar 2007 08:22:41 -0800 (PST) X-Virus-Checked: Checked by ClamAV on apache.org DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=41760 ------- Additional Comments From slive@apache.org 2007-03-06 08:22 ------- Obviously this thread has already gone too far, but I can't resist. What you don't seem to realize is that there are important reasons why you *wouldn't* want apache to need to check for the existence of .htaccess. In particular, this is a significant performance drain for high-traffic static-file sites. So you want to make it impossible to tune apache for high performance, because security may be compromised by admin errors. By the same logic, we should remove the plain-HTTP protocol from the server and only allow SSL/TLS. Otherwise a bad admin could disclose sensitive information to hackers. (Oh, and obviously we also need to remove the AccessFileName directive, since changing this would also cause .htaccess files to be ignored.) In addition, your problem was caused by multiple errors on your end. First, your admin made an error when upgrading. Second, you are not following best practices for avoiding disclosure of confidential information. This information should 1) not be in a web-accessible directory; and 2) have unix file-system permissions forbidding access to the webserver process. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org