>Number: 817 >Category: mod_access >Synopsis: htaccess ignored if unreadable... >Confidential: no >Severity: serious >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Jul 2 07:40:01 1997 >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2 >Environment: SunOS flood 5.5 Generic_103093-12 sun4m sparc SUNW,SPARCstation-4
Apache 1.2 with the cidr.patch and SuppressHTMLPreamble.patch patches installed. >Description: Set an htaccess file up with a ``deny all'' directive. Clearly, this should deny everyone access, and it does. Now make the htaccess file unreadable by the web server. The server decides that everything's fine and returns the page without even an error logged. I've been known to miss subtle points in the config files before, so it's possible that I have again. I seem to remember older versions simply denying access in similar situations, but I cannot remember enough details to be useful. (FYI, we've redefined .htaccess as htaccess locally.) >How-To-Repeat: Go to a directory with an htaccess that denies everyone and ``chmod 000 htaccess''. Then try to fetch the URL. It works. Check the error log, and you'll find no ``cannot read htaccess'' errors. >Fix: The obvious fix is to return an internal server error when the htaccess isn't readable. I'm probably going to patch mine this weekend to do exactly that (if I can figure out how) >Audit-Trail: >Unformatted:
