Re: filesmatch suspends AccessFileName?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 5 April 2013 10:44, Hajo Locke <hajo.locke@xxxxxx> wrote:
Hello,

interesting thing here. Ist this a bug or expected?
Apache is 2.2.23

Costumer uses .htaccess which uses some SetEnvIfNoCase Directives to filter bad bots.
the allow,deny directive is placed within a filesmatch directive.
example:

SetEnvIfNoCase user-agent "hallohallo" bad_bot=1

<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</FilesMatch>


The regex in filesmatch Directive is quite useless but this leads to the problem that .htaccess file can called by http in browser and shows all of its contents.

http://example.com/.htaccess

Seems to me quite simple for a user to disclose his .htaccess contents by simple filesmatch directive which suddenly ignores AccessFileName directive.
Is this a bug or expected?

Thanks,
Hajo

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


Hello Hajo
Try this at the top level
<Directory /further/up/tree>
<Files .htaccess>
Order allow,deny
Deny from all
</Files>
</Directory>
or
<Files .htaccess>
 order allow,deny
 deny from all
</Files>

What you've written makes logical sense and I would be allowed access to .htaccess
All the best Paul




--
"I know one thing: That I know nothing" - Socrates
"We're all explorers here" - T S Eliot
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux