Received: (qmail 18730 invoked by uid 2012); 14 Oct 1998 16:34:49 -0000 Message-Id: <19981014163449.18729.qmail@hyperreal.org> Date: 14 Oct 1998 16:34:49 -0000 From: Steve O'Hara-Smith Reply-To: s.ohara@elsevier.nl To: apbugs@hyperreal.org Subject: Selectively enabling open access to default files fails X-Send-Pr-Version: 3.2 >Number: 3209 >Category: mod_access >Synopsis: Selectively enabling open access to default files fails >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Oct 14 09:40:00 PDT 1998 >Last-Modified: Thu Oct 15 02:20:02 PDT 1998 >Originator: s.ohara@elsevier.nl >Organization: >Release: 1.3.3 >Environment: Solaris 2.4 gcc 2.7.2 mod_perl 1.15 >Description: Under Apache 1.2.4 I was using the following in some .htaccess files AuthType Basic AuthName "Some Domain" AuthDBUserFile "/path/to/dbfile" ... allow from all The idea being that index.html should be viewable without restrictions but that everything else should require a password. This worked fine under 1.2.4 (even when index.html is a directory :)) but not under 1.3.1 or 1.3.3. Under 1.3.x a password is always requested with this setup. If I remove the around the restrictions then explicit requests for index.html work fine (no password) but requests to the directory do not. >How-To-Repeat: Set up the above scenario (unfortunately I am inside a firewall and cannot put an example anywhere visible). >Fix: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: marc State-Changed-When: Wed Oct 14 14:44:44 PDT 1998 State-Changed-Why: Use "satisfy any" in the section. "?*" is matching the index. From: Steve O'Hara-Smith To: marc@apache.org Cc: apache-bugdb@apache.org, apbugs@apache.org Subject: Re: mod_access/3209: Selectively enabling open access to default Date: Thu, 15 Oct 1998 09:20:46 +0200 (MET DST) On 14-Oct-98 marc@apache.org wrote: > Use "satisfy any" in the section. > "?*" is matching the index. Apologies for insufficient information, "satisfy any" is setup by default in the config file. I have now tried adding it to the section but that has changed none of the behaviour. I am aware the "?*" is matching the index, but in 1.2.4 this all behaved nicely - the most specific match to the filename was taken and all behaved intuitively well. Perhaps this was a happy accident, if so would be nice if it were a defined behaviour (just my 2d). ----------------------------------------------------------------------- From Steve O'Hara-Smith On 15-Oct-98 At 09:20:46 Tell a computer to WIN and ... ... You LOSE! ----------------------------------------------------------------------- From: Steve O'Hara-Smith To: marc@apache.org Cc: apbugs@apache.org, apache-bugdb@apache.org Subject: Re: mod_access/3209: Selectively enabling open access to default Date: Thu, 15 Oct 1998 11:16:17 +0200 (MET DST) On 15-Oct-98 Steve O'Hara-Smith wrote: > On 14-Oct-98 marc@apache.org wrote: >> Use "satisfy any" in the section. >> "?*" is matching the index. Actually after deeper thought on this, the basic problem is that "?*" is matching requests to the directory in 1.3.x which it didn't in 1.2.4. ----------------------------------------------------------------------- From Steve O'Hara-Smith On 15-Oct-98 At 11:16:17 Tell a computer to WIN and ... ... You LOSE! ----------------------------------------------------------------------- >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]