From nobody@hyperreal.org Wed Jul 2 07:35:50 1997 Received: (from nobody@localhost) by hyperreal.org (8.8.5/8.8.5) id HAA01264; Wed, 2 Jul 1997 07:35:50 -0700 (PDT) Message-Id: <199707021435.HAA01264@hyperreal.org> Date: Wed, 2 Jul 1997 07:35:50 -0700 (PDT) From: Jason Riedy Reply-To: ejr@cise.ufl.edu To: apbugs@hyperreal.org Subject: htaccess ignored if unreadable... X-Send-Pr-Version: 3.2 >Number: 817 >Category: mod_access >Synopsis: htaccess ignored if unreadable... >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Jul 2 07:40:01 1997 >Last-Modified: Sun Aug 24 19:27:30 PDT 1997 >Originator: ejr@cise.ufl.edu >Organization: >Release: 1.2 >Environment: SunOS flood 5.5 Generic_103093-12 sun4m sparc SUNW,SPARCstation-4 Apache 1.2 with the cidr.patch and SuppressHTMLPreamble.patch patches installed. >Description: Set an htaccess file up with a ``deny all'' directive. Clearly, this should deny everyone access, and it does. Now make the htaccess file unreadable by the web server. The server decides that everything's fine and returns the page without even an error logged. I've been known to miss subtle points in the config files before, so it's possible that I have again. I seem to remember older versions simply denying access in similar situations, but I cannot remember enough details to be useful. (FYI, we've redefined .htaccess as htaccess locally.) >How-To-Repeat: Go to a directory with an htaccess that denies everyone and ``chmod 000 htaccess''. Then try to fetch the URL. It works. Check the error log, and you'll find no ``cannot read htaccess'' errors. >Fix: The obvious fix is to return an internal server error when the htaccess isn't readable. I'm probably going to patch mine this weekend to do exactly that (if I can figure out how) >Audit-Trail: State-Changed-From-To: open-suspended State-Changed-By: brian State-Changed-When: Sun Jul 20 21:27:29 PDT 1997 State-Changed-Why: These seems like a perfectly reasonable request - when you finish the patch send it on and we'll consider it for inclusion. It's possible that folks out there are relying upon this behavior for some perverse reason, but I think we'll probably change it as you suggest... State-Changed-From-To: suspended-closed State-Changed-By: marc State-Changed-When: Sun Aug 24 19:27:29 PDT 1997 State-Changed-Why: A patch to make Apache refuse to serve requests if the htaccess is unreadable has been applied to the 1.3 tree in revision 1.75 of http_config.c >Unformatted: