httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Re: WWW Form Bug Report: "Nested dirs with .htaccess: only last one prevails. Security bug!" on BSDI (fwd)
Date Mon, 06 Jan 1997 18:50:41 GMT
Rob Hartill wrote:
> Any comments ?
> Are .htaccess files meant to override eachother. The "AllowOverride"
> directive sounds like that's the case.

It isn't as simple as that. I agonised over this for the book, but gave up on
it in the end. The trouble is that the behaviour of nested .htaccess (and,
indeed, nested anything-elses) is defined by the directory merger for the
module. mod_access doesn't have one, so the default behaviour obtains, which
is for the lowest level to override all others[1]. This ought to be true for
1.1.1, too, so I'm a little puzzled that it wasn't seen there.

AllowOverride determines whether .htaccess files are allowed to modify certain
things _at all_, not the way in which it modifies them.

It is my growing feeling that altogether too much is left to chance in this
configuration business.

I have to say that, IMO, the principle of least amazement is not being followed
in this case.

On the other hand, how you merge "order allow,deny" with "order deny,allow" is
an interesting question. Probably by preserving the entire chain of access
permissions, and testing from top to bottom, following the prevailing rule at
each level.

It is worth noting that if we change this behaviour, it'll break existing
sites unless we make it configurable.



Footnote 1: the mere presence of a .htaccess file will cause an empty
configuration to be created for every module.

> ---------- Forwarded message ----------
> Date: Sun Jan 5 21:35:02 1997
> From:
> To:
> Subject: WWW Form Bug Report: "Nested dirs with .htaccess: only last one prevails. Security
bug!" on BSDI
> Submitter:
> Operating system: BSDI, version: 
> Version of Apache Used: 1.2b4
> Extra Modules used: CC=shlic2  mod_status mod_info
> URL exhibiting problem:
> Symptoms:
> --
> I've been able to recreate a simple test case of
> a complex bug reported by one of my users.
> I set up the following files under ~/public_html/
> ./.htaccess
> ./dir1/.htaccess
> ./dir1/dir2/data.html
> ./dir1/dir2/.htaccess
> Assume that you are accessing from a host listed
> in a "deny" directive in ./.htaccess,
> but not listed in dir1/.htaccess, then access
> to dir1/ will be permitted.
> Basically, it seems that only the lowest-level
> .htaccess file is having an effect, rather than
> the effects of all .htaccess files being concatenated.
> What my user is trying to do is to set up a set of
> increasingly more restrictive "gates"; at the
> top level blocking .mil and .gov, at a second
> level blocking out all .k12. accesses, and at
> a third level blocking out still other accesses.
> Didn't notice this problem under 1.1, it showed
> up when I upgraded to 1.2b2.  Didn't see it in bug
> list, but upgraded to 1.2b4 before complaining.
> I've provided the URL to enough files to reproduce
> the problem, all nicely SHARed up for you.
> If you need my server /conf/ files I'll make them
> available to you; they are fairly close to the
> distributed ones, modulo an "AllowOverride All"
> directive, and the /status stuff.
> I've read all the documentation pretty carefully,
> but this might be my error.  If so, please advise
> what flag/directive/whatever I need to adjust.
> 	Thanks!
> 	 -Mike
> --
> Backtrace:
> --
> --

Ben Laurie                Phone: +44 (181) 994 6435  Email:
Freelance Consultant and  Fax:   +44 (181) 994 6472
Technical Director        URL:
A.L. Digital Ltd,         Apache Group member (
London, England.          Apache-SSL author

View raw message