httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Satisfy Any -> problem with file level access ??
Date Sun, 14 Dec 2003 18:54:17 GMT

On Fri, 12 Dec 2003, Justin Booth wrote:

> Hey all,
>     I think I found a bug that involves "satisfy any". According to the
> documentation satisfy is supposed to deal with username/password and client
> address, but I found that when I use a "satisfy any" in an .htaccess , all
> my File and Directory tags are overridden.

> <Limit GET POST>

Don't use <Limit>.  See the docs on <Limit> for more details.

> The problem comes is that the satisfy any overrides the <File> tags... and
> making it so that any person with either credentials can pull all *.inc
> files and .htaccess files through the web. The way the documentation is
> written, it sounds like the "Satisfy Any" only deals with username/password
> and ip addresses but not the File access levels.

The documentation is correct, though you are right that this situation is
suboptimal.  The fact is, "Deny from all" is a type of host-based access
control.  It just happens to apply to "all" hosts.  So when you use
"Satisfy any", the user-auth can override the host-based access controls
and allow access.

I don't know of any easy solution for this.  A not-so-bad solution would
be

RewriteEngine On
RewriteRule \.ht - [F]

Since mod_rewrite works completely outside the usual auth/access system,
this should not be affected by Satisfy.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message