www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Riedy <...@cise.ufl.edu>
Subject mod_access/817: htaccess ignored if unreadable...
Date Wed, 02 Jul 1997 14:40:02 GMT

>Number:         817
>Category:       mod_access
>Synopsis:       htaccess ignored if unreadable...
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Jul  2 07:40:01 1997
>Originator:     ejr@cise.ufl.edu
>Release:        1.2
SunOS flood 5.5 Generic_103093-12 sun4m sparc SUNW,SPARCstation-4

Apache 1.2 with the cidr.patch and SuppressHTMLPreamble.patch patches
Set an htaccess file up with a ``deny all'' directive.  Clearly,
this should deny everyone access, and it does.  Now make the htaccess
file unreadable by the web server.  The server decides that everything's
fine and returns the page without even an error logged.

I've been known to miss subtle points in the config files before,
so it's possible that I have again.  I seem to remember older versions
simply denying access in similar situations, but I cannot remember
enough details to be useful.

(FYI, we've redefined .htaccess as htaccess locally.)
Go to a directory with an htaccess that denies everyone and 
``chmod 000 htaccess''.  Then try to fetch the URL.  It works.
Check the error log, and you'll find no ``cannot read htaccess''
The obvious fix is to return an internal server error when the 
htaccess isn't readable.  I'm probably going to patch mine this 
weekend to do exactly that (if I can figure out how)

View raw message