>Number: 407 >Category: mod_access >Synopsis: .htaccess is not always honored >Confidential: no >Severity: serious >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Apr 16 15:20:01 1997 >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2b8 >Environment: OS: Solaris 2.5.1 Kernel patch Generic_103640-03 Compiler: SPARCworks 3.0.1 >Description: When I try to access an HTML document (either through a link or by typing in the URL myself) that is located in a 'private' directory (protected by a .htaccess file), I am asked for a password (as is expected). I click cancel and am denied access. However if I access some CGI script in that directory through a form, I am allowed access. >How-To-Repeat: I'm behind a firewall so I'll have to give you the files. The first file, test.html, provides you with a form and a link. Clicking either will take you into the private directory. If you got there through the link you will be asked for a password if you got there through the form you will not be asked for a password.
test.html: <html> <body> <form action=private/test.cgi method=post> <input type=submit> </form> <p> Click <a href="private/index.html">here</a> </body> </html> Here's private/test.cgi: #!/usr/bin/perl print "Content-type: text/html\n\n"; print "<html>\n"; print "<body>\n"; print "<h1>Hi</h1>\n"; print "</body>\n"; print "</html>\n"; Here's private/index.html: <html> <body> <h1>Hello from index.html</h1> </body> </html> Here's the .htaccess file: AuthType Basic AuthName SLAP Utility Private Area AuthUserFile .htpasswd <Limit GET PUT> require valid-user </Limit> Here's the .htpasswd file: guest:Bmb8VdQw2/P.E >Fix: Sorry, but I don't >Audit-Trail: >Unformatted:
