From nobody@hyperreal.com  Wed Apr 16 15:12:37 1997
Received: (from nobody@localhost)
          by hyperreal.com (8.8.4/8.8.4)
	  id PAA01620; Wed, 16 Apr 1997 15:12:37 -0700 (PDT)
Message-Id: <199704162212.PAA01620@hyperreal.com>
Date: Wed, 16 Apr 1997 15:12:37 -0700 (PDT)
From: Rob Cash <rcash@nortel.ca>
Reply-To: rcash@nortel.ca
To: apbugs@hyperreal.com
Subject: .htaccess is not always honored
X-Send-Pr-Version: 3.2

>Number:         407
>Category:       mod_access
>Synopsis:       .htaccess is not always honored
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          closed
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Apr 16 15:20:01 1997
>Last-Modified:  Wed Apr 16 19:06:55 PDT 1997
>Originator:     rcash@nortel.ca
>Organization:
>Release:        1.2b8
>Environment:
OS: Solaris 2.5.1 Kernel patch Generic_103640-03
Compiler: SPARCworks 3.0.1
>Description:
When I try to access an HTML document (either through a link or by typing
in the URL myself) that is located in a 'private' directory (protected by
a .htaccess file), I am asked for a password (as is expected).  I click
cancel and am denied access.  However if I access some CGI script in that
directory through a form, I am allowed access.
>How-To-Repeat:
I'm behind a firewall so I'll have to give you the files.
The first file, test.html, provides you with a form and a link.  Clicking
either will take you into the private directory.  If you got there through
the link you will be asked for a password if you got there through the form
you will not be asked for a password.

test.html:
<html>
<body>
<form action=private/test.cgi method=post>
<input type=submit>
</form>
<p>
 
Click <a href="private/index.html">here</a>
</body>
</html>


Here's private/test.cgi:
#!/usr/bin/perl
 
print "Content-type: text/html\n\n";
 
print "<html>\n";
print "<body>\n";
print "<h1>Hi</h1>\n";
print "</body>\n";
print "</html>\n";


Here's private/index.html:
<html>
<body>
<h1>Hello from index.html</h1>
</body>
</html>


Here's the .htaccess file:
AuthType Basic
AuthName SLAP Utility Private Area
AuthUserFile .htpasswd
<Limit GET PUT>
require valid-user
</Limit>


Here's the .htpasswd file:
guest:Bmb8VdQw2/P.E
>Fix:
Sorry, but I don't
>Audit-Trail:
State-Changed-From-To: open-closed
State-Changed-By: marc
State-Changed-When: Wed Apr 16 19:06:54 PDT 1997
State-Changed-Why:
User reports the below comment resolves their confusion:

You are telling it to limit GET and PUT.  Then you are doing a POST.  If
you want to limit POST, you need to tell it to.

You should also be able to just leave the <Limit> and </Limit> bit out and
have it apply to all methods.

>Unformatted: