httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 50371] New: missing? documentation on protecting .ht* files
Date Mon, 29 Nov 2010 22:11:31 GMT

           Summary: missing? documentation on protecting .ht* files
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation


No sure whether I've overseen something, but IMHO the Documentation should
include (mainly for "end-users", which easily forget this) the hint that the
".htaccess" file (and similar files) SHOULD be protected against being read by
(normally) anyone.

IMHO according info should go to (at least):
and (in a OWN section or
at least not in "Watching your logs")
and perhaps also to:

I found only one place where this is listed ATM:
There the following is used:
<Files ~ "^\.ht">
Order allow,deny
Deny from all

AFAIU how configuration is merged this alone might be insecure, namely if
anywhere "before" "Statisfy" is set to "Any".

Consider a dir /foo/ where this is done, and a subdir /foo/bar where the
.htpasswd file lays.
Now if a user gets authenticated, he should be able to read the
.htaccess/passwd (which is probably not wanted).

So may Suggest to always use:
<FilesMatch "^\.ht">
    Satisfy All
    Order allow,deny
    Deny from all
(As far as I read, FilesMatch is prefered over the ~ form)
<Files ".ht*">
    Satisfy All
    Order allow,deny
    Deny from all
which should be the same (AFAIU) and even works if PCRE is not available.


Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message