Return-Path: Delivered-To: apmail-httpd-docs-archive@www.apache.org Received: (qmail 82837 invoked from network); 29 Nov 2010 22:11:54 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 29 Nov 2010 22:11:54 -0000 Received: (qmail 61864 invoked by uid 500); 29 Nov 2010 22:11:54 -0000 Delivered-To: apmail-httpd-docs-archive@httpd.apache.org Received: (qmail 61811 invoked by uid 500); 29 Nov 2010 22:11:53 -0000 Mailing-List: contact docs-help@httpd.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: docs@httpd.apache.org List-Id: Delivered-To: mailing list docs@httpd.apache.org Received: (qmail 61803 invoked by uid 99); 29 Nov 2010 22:11:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Nov 2010 22:11:52 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Nov 2010 22:11:52 +0000 Received: from thor.apache.org (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id oATMBVcd011641 for ; Mon, 29 Nov 2010 22:11:31 GMT Received: (from daemon@localhost) by thor.apache.org (8.13.8+Sun/8.13.8/Submit) id oATMBVl5011640; Mon, 29 Nov 2010 17:11:31 -0500 (EST) Date: Mon, 29 Nov 2010 17:11:31 -0500 (EST) From: bugzilla@apache.org To: docs@httpd.apache.org Subject: DO NOT REPLY [Bug 50371] New: missing? documentation on protecting .ht* files X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: Documentation X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: calestyo@scientia.net X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: docs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: X-Bugzilla-URL: https://issues.apache.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 https://issues.apache.org/bugzilla/show_bug.cgi?id=50371 Summary: missing? documentation on protecting .ht* files Product: Apache httpd-2 Version: 2.3-HEAD Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Documentation AssignedTo: docs@httpd.apache.org ReportedBy: calestyo@scientia.net Hi. No sure whether I've overseen something, but IMHO the Documentation should include (mainly for "end-users", which easily forget this) the hint that the ".htaccess" file (and similar files) SHOULD be protected against being read by (normally) anyone. IMHO according info should go to (at least): http://httpd.apache.org/docs/2.2/howto/htaccess.html and http://httpd.apache.org/docs/2.2/misc/security_tips.html (in a OWN section or at least not in "Watching your logs") and perhaps also to: http://httpd.apache.org/docs/2.2/mod/core.html#accessfilename I found only one place where this is listed ATM: http://httpd.apache.org/docs/2.2/misc/security_tips.html#watchyourlogs There the following is used: Order allow,deny Deny from all AFAIU how configuration is merged this alone might be insecure, namely if anywhere "before" "Statisfy" is set to "Any". Consider a dir /foo/ where this is done, and a subdir /foo/bar where the .htpasswd file lays. Now if a user gets authenticated, he should be able to read the .htaccess/passwd (which is probably not wanted). So may Suggest to always use: Satisfy All Order allow,deny Deny from all (As far as I read, FilesMatch is prefered over the ~ form) or Satisfy All Order allow,deny Deny from all which should be the same (AFAIU) and even works if PCRE is not available. HTH, Chris -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org For additional commands, e-mail: docs-help@httpd.apache.org