Received: (qmail 13333 invoked by uid 501); 7 Dec 2000 01:47:51 -0000
Message-Id: <20001207014751.13328.qmail@locus.apache.org>
Date: 7 Dec 2000 01:47:51 -0000
From: Tim Oaks <tim.oaks@otago.ac.nz>
Reply-To: tim.oaks@otago.ac.nz
To: submit@bugz.apache.org
Subject: Regular expressions in .htaccess files do not work as expected.
X-Send-Pr-Version: 3.110

>Number:         6940
>Category:       general
>Synopsis:       Regular expressions in .htaccess files do not work as expected.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Dec 06 17:50:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     tim.oaks@otago.ac.nz
>Release:        1.3.12 and 1.3.14
>Organization:
apache
>Environment:
OS: Tru64 UNIX 4.0F, gcc version 2.95.2 OSF1 celeborn.otago.ac.nz V4.0 1229 alpha
>Description:
I have checked the news groups, I came across the exact problem with no reply on deja news
dated 27/07/2000

Basically I'm trying to restrict access to files in a directory and sub-directories below using a .htaccess file
with the <FilesMatch> directive and regular expressions.

It seems that if there are more than 3 alternatives in a regular expression separated by | then either access control fails completely - these is no block
or there is a total block.

Here's the content of my .htaccess file.

<FilesMatch "(geog.html|pequod|\.gif)">
  AuthName "geography"
  AuthType Basic
  AuthUserFile /WWW/configs/intranet/conf/wwwusers
  AuthGroupFile /WWW/configs/intranet/conf/wwwgroups
  require group geog

  order allow,deny
  allow from 139.80.64 139.80.76 139.80.28
  deny from 139.80.64.4
  satisfy any
</FilesMatch>

The above construct works. If I come in from an allowed IP 139.80.28.*, then I can see pages geog.html, gifs/*.gif and html/pequod*

If I add an extra alternative such as the following
# does not work <FilesMatch "(geog|hyper|pequod).*|\.gif">
It does not work.
The following do or do not work as marked.
# works <FilesMatch "geog.html|hyper.*|\.gif">
# works <FilesMatch "(geog|hyper).*|\.gif">
# works <FilesMatch "geog.html|pequod.*|\.gif">
# does not work <FilesMatch "geog.html|pequod.*|hyperperth.*|\.gif">
# does not work <FilesMatch "geog.html|hyperperth.*|\.gif">
# works <FilesMatch "geog.html|\.gif">
# works <FilesMatch "geog.html|hyper.*|\.gif">

The error message reported at my netscape browser is

Forbidden - you dont have access to access geog.html on this server, and a similar message in the error log
[Thu Dec  7 14:40:56 2000] [error] [client 139.80.28.37] client denied by server
 configuration: /WWW/intranet/bb/geog.html

Thanks for your help.

Regards Tim Oaks
>How-To-Repeat:
If you need it, I can put one of your IP's into the range of allowed IP's so you can see the problem.
>Fix:
No.
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]