httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <>
Subject WWW Form Bug Report: "Nested dirs with .htaccess: only last one prevails. Security bug!" on BSDI (fwd)
Date Mon, 06 Jan 1997 14:31:42 GMT

Any comments ?

Are .htaccess files meant to override eachother. The "AllowOverride"
directive sounds like that's the case.

---------- Forwarded message ----------
Date: Sun Jan 5 21:35:02 1997
Subject: WWW Form Bug Report: "Nested dirs with .htaccess: only last one prevails. Security
bug!" on BSDI

Operating system: BSDI, version: 
Version of Apache Used: 1.2b4
Extra Modules used: CC=shlic2  mod_status mod_info
URL exhibiting problem:

I've been able to recreate a simple test case of
a complex bug reported by one of my users.
I set up the following files under ~/public_html/

Assume that you are accessing from a host listed
in a "deny" directive in ./.htaccess,
but not listed in dir1/.htaccess, then access
to dir1/ will be permitted.

Basically, it seems that only the lowest-level
.htaccess file is having an effect, rather than
the effects of all .htaccess files being concatenated.

What my user is trying to do is to set up a set of
increasingly more restrictive "gates"; at the
top level blocking .mil and .gov, at a second
level blocking out all .k12. accesses, and at
a third level blocking out still other accesses.

Didn't notice this problem under 1.1, it showed
up when I upgraded to 1.2b2.  Didn't see it in bug
list, but upgraded to 1.2b4 before complaining.
I've provided the URL to enough files to reproduce
the problem, all nicely SHARed up for you.
If you need my server /conf/ files I'll make them
available to you; they are fairly close to the
distributed ones, modulo an "AllowOverride All"
directive, and the /status stuff.

I've read all the documentation pretty carefully,
but this might be my error.  If so, please advise
what flag/directive/whatever I need to adjust.




View raw message