www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Tilly <ben_ti...@trepp.com>
Subject config/6032: Directory and Files directives conflict about .htaccess
Date Thu, 27 Apr 2000 21:00:21 GMT

>Number:         6032
>Category:       config
>Synopsis:       Directory and Files directives conflict about .htaccess
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Apr 27 14:10:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     ben_tilly@trepp.com
>Release:        1.3.12
>Organization:
apache
>Environment:
$ uname -a
Linux ourweb 2.2.10 #3 Tue Sep 7 10:08:15 EDT 1999 i686 unknown

A current Debian Potato using their version of Apache.
>Description:
The following directive in access.ctl prevents people from seeing .htaccess files:

<Files ~ "\.htaccess$">
  order deny,allow
  deny from all
</Files>

When I place it at the beginning of the access.conf file I protect .htaccess files but I lose
password authentication on any .htaccess protected directories.  If I move the directive to
the end of the configuration file then password authentication comes back and the .htaccess
file is still blocked.
>How-To-Repeat:
Insert the above into a configuration both before and after the Directory configuration and
see for yourself what happens.
>Fix:
If this behaviour is expected, then clarify the documentation.  Otherwise modify the parsing.

Regardless of whether this is expected, I suggest modifying the FAQ to point out that people
should modify the access control file to something other than .htaccess, and they should block
them since they frequently contain information that would make it easier to break into a webserver.
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]
 
 


Mime
View raw message