httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hajo Locke" <hajo.lo...@gmx.de>
Subject [users@httpd] filesmatch suspends AccessFileName?
Date Fri, 05 Apr 2013 09:44:57 GMT
Hello,

interesting thing here. Ist this a bug or expected?
Apache is 2.2.23

Costumer uses .htaccess which uses some SetEnvIfNoCase Directives to filter 
bad bots.
the allow,deny directive is placed within a filesmatch directive.
example:

SetEnvIfNoCase user-agent "hallohallo" bad_bot=1

<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</FilesMatch>


The regex in filesmatch Directive is quite useless but this leads to the 
problem that .htaccess file can called by http in browser and shows all of 
its contents.

http://example.com/.htaccess

Seems to me quite simple for a user to disclose his .htaccess contents by 
simple filesmatch directive which suddenly ignores AccessFileName directive.
Is this a bug or expected?

Thanks,
Hajo 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message