httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 50371] New: missing? documentation on protecting .ht* files
Date Mon, 29 Nov 2010 22:11:31 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=50371

           Summary: missing? documentation on protecting .ht* files
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation
        AssignedTo: docs@httpd.apache.org
        ReportedBy: calestyo@scientia.net


Hi.

No sure whether I've overseen something, but IMHO the Documentation should
include (mainly for "end-users", which easily forget this) the hint that the
".htaccess" file (and similar files) SHOULD be protected against being read by
(normally) anyone.

IMHO according info should go to (at least):
http://httpd.apache.org/docs/2.2/howto/htaccess.html
and
http://httpd.apache.org/docs/2.2/misc/security_tips.html (in a OWN section or
at least not in "Watching your logs")
and perhaps also to:
http://httpd.apache.org/docs/2.2/mod/core.html#accessfilename


I found only one place where this is listed ATM:
http://httpd.apache.org/docs/2.2/misc/security_tips.html#watchyourlogs
There the following is used:
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>


AFAIU how configuration is merged this alone might be insecure, namely if
anywhere "before" "Statisfy" is set to "Any".

Consider a dir /foo/ where this is done, and a subdir /foo/bar where the
.htpasswd file lays.
Now if a user gets authenticated, he should be able to read the
.htaccess/passwd (which is probably not wanted).

So may Suggest to always use:
<FilesMatch "^\.ht">
    Satisfy All
    Order allow,deny
    Deny from all
</Files>
(As far as I read, FilesMatch is prefered over the ~ form)
or
<Files ".ht*">
    Satisfy All
    Order allow,deny
    Deny from all
</Files>
which should be the same (AFAIU) and even works if PCRE is not available.


HTH,
Chris

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message