www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Brudenell" <p...@york.ac.uk>
Subject Re: config/1941: AllowOverride ignored in <Directory ~ pattern> and <DirectoryMatch pattern>
Date Wed, 25 Mar 1998 18:00:01 GMT
The following reply was made to PR config/1941; it has been noted by GNATS.

From: "Mike Brudenell" <pmb1@york.ac.uk>
To: apbugs@apache.org
Cc:  Subject: Re: config/1941: AllowOverride ignored in <Directory ~ pattern> and <DirectoryMatch
pattern>
Date: Wed, 25 Mar 1998 17:51:06 +0000

 Hmmm... I think I've just experienced a blinding flash of light that =
 answers
 my original problem/bug-report, so here's my confession.  :-}
 
 However I think there is still a problem lurking that I raised in a
 subsequent follow-up message (see entry dated Mon 16 Mar 1998 in this
 problem report within the bugs database).  I mention this again, hopefully =
 a
 little more clearly, towards the end of this message.
 
 
 Resum=E9
 ------
 The difficulty I was having was in establishing a "default" environment
 through the server's central configuration file whereby:
     *  The /htdocs/ tree was set to AllowOverride None
     *  Directories matching a certain pattern:
             <DirectoryMatch "/^htdocs/.*\.ltd">
        were set within this section to "Deny from all" and "AllowOverride
        AuthConfig Limit"
 
 This latter was to establish a "default" of no access to the contents of a
 directory whose name ended ".ltd" UNLESS it contained an .htaccess file
 specifically allowing access from particular sources.
 
 In my bug report I claimed that although the <DirectoryMatch> section's
 "Deny from all" was being honoured (tested by changing it to an "Allow =
 from
 all") the "AllowOverride" directive was apparently being ignored: the
 .htaccess file was not being processed.
 
 Changing to using an exactly specified name (using <Directory>) eliminated
 the problem and allowed the .htaccess file to be obeyed.
 
 
 The Explanation
 ---------------
 The reason, of course, is "obvious" after the umpteenth re-reading of the
 manual pages...  Apache FIRST processes <Directory> and .htaccess files
 (with the latter overriding the former) and THEN pattern matches set with
 <DirectoryMatch>
 
 I was attempting to do this:
     1.  Set up the "Deny from all" + "AllowOverride AuthConfig Limit" for
         pattern-matched directories using <DirectoryMatch>
     2.  Later override this with settings from an .htaccess file (which is
         now allowed to override courtesy of step 1 above).
 
 In practice Apache reverses the order of this testing to become:
     1.  Ignore the .htacess file (because of the entire tree's
 "AllowOverride
         None" setting).
     2.  Process the pattern-match in the <DirectoryMatch> section and:
             a) deny access from all sources
             b) turn on the AllowOverride categories for .htaccess files
 
 Of course (2b) in now too late as the .htaccess file processing step has
 already passed!  Hence access is denied: as I was seeing and tearing my =
 hair
 out over.
 
 Personally I still find this ordering not terribly intuitive... I keep
 thinking in terms of "use pattern-matches to establish general settings,
 then override with specifics".  This is the exact opposite of Apache's
 interpretation for
 <Directory> and <DirectoryMatch> directives.  I suppose this is due to =
 what
 I think of as an "exact match" affecting not only that directory but also
 all its subdirectories (hence is more of a prefix-match rather than an =
 exact
 match).
 
 However as I said at the start I still think there's an oddity lurking...
 
 
 
 But a Problem Remains?
 ---------------------
 However the question I raised in a follow-up message (dated Mon, 16 Mar =
 1998
 in this problem report within the bugs database) still stands, I think...
 
 Forgetting all about my <Directory> and <DirectoryMatch> stuff and
 backtracking to basics...
 
 *   If I set "AllowOverride AuthConfig Limit" for the htdocs tree then an
     .htaccess file somewhere in it containing:
         allow from all
         require group some-users
     then a request for a document in the area is honoured (subject to
     authentication).
 
 *   If I modify the .htaccess file to contain:
         <FilesMatch "*">
             allow from all
             require group some-users
         </FilesMatch>
     then the .htaccess file is still (correctly) obeyed and the request =
 for
 a
     document in the area is honoured (subject to authentication).
 
 Now for the funny behaviour...
 
 *   If I instead set the htdocs tree to "AllowOverride Indexes" I would
 expect
     this to NOT allow the request at all (not even ask for athentication)
     because an .htaccess file is supposed to only allow "allow" if and =
 only
 if
     "AllowOverride Limit" is in force, (likewise "require" if and only if
     "AllowOverride AuthConfig" is set).
 
     But instead the request IS honoured (subject to authentication).
 
 This suggests that setting "AllowOverride Indexes" for an area correctly
 prevents "allow", "require", etc from working if they are "loose" within =
 an
 .htaccess file, *BUT* (surely wrongly?) allows them if they appear within =
 a
 <FilesMatch> section in the .htaccess file.
 
 Doesn't this behaviour mean that users could still apply access =
 restrictions
 to items in an area even if the server administrator though they were
 disabled because the "AuthConfig" and "Limit" categories were not included
 in the AllowOverride directive?
 
 Cheers,
 
 Mike Brudenell
 
 -- 
 The Computing Service, University of York, Heslington, York, YO1 5DD, UK
 Tel: +44-1904-433811  FAX: +44-1904-433740  http://www.york.ac.uk/~pmb1/
 
 * Unsolicited commercial e-mail is NOT welcome at this e-mail address. *

Mime
View raw message