Hi,
I have a query/suggestion regarding Satisfy and the server
configuration file (httpd.conf).
The default server configuration prevents .htaccess (names matching
.ht*) to be served (see below).
However, when using IP and password authentication with "Satisfy any"
in a .htaccess file these files are served! (see e.g.
http://httpd.apache.org/docs/1.3/misc/FAQ.html, FAQ3)
The "Satisfy any" also applies to the files matching the <Files>
directive (see below).
When only basic password authentication is used in the .htaccess but
Satisfy Any remains in this file, the .ht* files are also served. So,
basically, .ht* files are served as soon as Satisfy is set to Any (in
combination with password authentication).
I think we never want to server these ".ht*" files.
Would it not be good to add "Satisfy all" to the directives below in
the default Apache sources (or am I missing something why .htaccess
serving happens?)
Regards,
Bernd
>From httpd.conf (Apache/2.0.46), RedHat
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
>From httpd-std.conf.in and httpd-win.conf (sources Apache/2.0.55)
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
</FilesMatch>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|